AuthN CA middleware support [Fwd: [caops-wg] Draft Agenda]
David Groep
davidg at nikhef.nl
Wed May 10 04:57:02 CDT 2006
Hi Olle,
Olle Mulmo wrote:
> ...
> The last point ("make validation...") is too vaguely stated. Any
> certificate in the chain implies that the RP should honor arbitrarily
> Policy OIDs embedded in self-issued proxy certs. I suggest narrowing
> this down to EE and sub-CA certs for now.
Agreed. In a practical implementation, though, I would suggest that
the policy allows a set of ranges of policy OIDs from a specific issuer,
and that that range is configurable independently for each issuer or
group of issuers.
E.g.
* from "The Banana CA"
* allow only EE certs with oids 1.2.840.113612.5.2.3.1.99.(2-3,7).*
(and maybe denial as well, although that will surely be a hot topic :-)
To indicate only those EE certificates with the additional policy
statements that the private key is stored in a peach(2), a pineapple(3)
or an orange(7) or in any subspiecies thereof.
> You could add another wishlist item that middleware providers should
> honor the same configuration syntax that controls the OID set and
> namespace constraints... (and the CAOPS group should quickly find
> volunteers that nail down that syntax).
Kind-of agree as well. Same syntax for all middlewares is certainly
needed, a common (and simple) syntax for expressing RP-namespace
constraints and OID constraints would be nice, but hard...
Cheers,
DavidG.
--
David Groep
** National Institute for Nuclear and High Energy Physics, PDP/Grid group **
** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **
More information about the caops-wg
mailing list