[caops-wg] Proxy certificate revocation text

Mike Helm helm at fionn.es.net
Fri Feb 10 14:32:15 CST 2006 

David Chadwick writes:
> I would actually go further than you do, and say that no-one is allowed 
> to revoke a proxy certificate except its creator or an authorised 
> delegate of the creator. Allowing anyone else to revoke a proxy is 
> equivalent of allowing a DOS attack on the proxy. On the other hand, a 

I think is a great, idealistic view of the situation.

Whether resource owner revocation is practical or not is a question.

However, in some or maybe most all cases, proxy certs are created
with the partial cooperation of a resource owner or related service,
and so, they have a stake in this certificate.  The key pairs are also portable.
Communicating to other resource owners that a specific proxy
certificate should no longer be used could be useful; it may be
seen as necessary, to contain a security problem.

Applying the principles that apply to an identity certificate
to a short term or proxy certificate doesn't seem appropriate.
They are ephemeral and mistakes are easily repaired.  Denial
of service is a typical byproduct of most security breaches and
recovery scenarios; revoking selected proxy certificates rather
than blocking all contact from a user seems like a step
in a positive direction.  Also, communication is important in
dealing with security breaches.  Healing your own problems
but ignoring everyone else's is a real weakness of distributed
computing security response.  We hear all the time, I want to know
about your blacklists!  I want to know about things you block!
when issues like this are raised. 

I think we can note these objections but we can also make
some recommendations about how relying parties can communicate
revocation information should they need to do so.

I admit I take the point of view that the rights of the resource
owner are pretty much absolute and so I think they have considerable
say in what happens with a proxy certificate key pair found
on their machine or minted on their service. 

> resource owner is the source of authority for his own resource, and can 
> trust or distrust any certs that he wants to (PKC and AC). Therefore a 
> resource owner can blacklist anything from using his resource. But this 
> is not revocation of a proxy cert, since the proxy cert is still 
> authentic and can still be used at other resources that trust it. It 

That perhaps, shouldn't trust it, either.

> simply isnt valid for use at the local resource. Revocation on the other 
> hand ensures that no-one should trust the proxy cert, since the issuer 
> is saying that it is no longer valid.
> 
> regards
> 
> David
> 
> 
> jluna at ac.upc.edu wrote:
> > Hi!
> > You will find attached to this message our proposed text for the Proxy
> > Revocation topic, taking into account some comments from D. Chadwick as
> > mentioned in the teleconferece.
> > 
> > Best regards,
> > Oscar & Jesus
> > 
> 
> -- 
> 
> *****************************************************************
> David W. Chadwick, BSc PhD
> Professor of Information Systems Security
> The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
> Tel: +44 1227 82 3221
> Fax +44 1227 762 811
> Mobile: +44 77 96 44 7184
> Email: D.W.Chadwick at kent.ac.uk
> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
> Research Web site: http://sec.cs.kent.ac.uk
> Entrust key validation string: MLJ9-DU5T-HV8J
> PGP Key ID is 0xBC238DE5
> 
> *****************************************************************
>

More information about the caops-wg mailing list