[caops-wg] OCSP & Proxy Certs
Mike Helm
helm at fionn.es.net
Thu Jan 26 15:43:24 CST 2006
Matt Crawford writes:
> [About proxy certs]... When a user on host A delegates to
> B, which then authenticates to C, the proxy cert is created at A,
> stored at B and seen at C.
2 contradictory thoughts occurred to me
A) What if proxy certs had a "Made at <X>" stamp on them
(Does anybody do this now?) Would this help?
At the very least, the relying party could scan certs
for this attribute and disallow something it doesn't like.
B) What we don't want is migrating proxy cert private keys
(Is this true? I wouldn't be surprised to find somebody
depending on being able to do this, but I hope not).
But all we can do is stamp the public key, not the private
key. We can't tell if a private key has migrated somewhere
we don't want it to be.
More information about the caops-wg
mailing list