[caops-wg] [igtf-general] Re: Certificate Profile document updated (to v0.14)
Mike Helm
helm at fionn.es.net
Fri Nov 10 14:08:48 CST 2006
I haven't had time to get back to this for more review, but 2 things:
(1) name constraints. We need to say something about this.
My understanding is that most grid middleware and many if not all applications
will not be able to deal with name constraints (it's a critical extension,
and most software doesn't know how to interpret it, and there are continuing
problems with the PKIX interpretation rules).
I was also told recently both that openssl had name constraint capability now,
and that it didn't work.
I think what we need to say is that this extension cannot (must not) be used currently
in Grid middleware. Perhaps that could be should not, since a "private" grid
might be able to pick & control x.509 software that can cope with name constraints.
(It's also useless, except in networks of CA's, but we probably don't need to
get into that.)
(2) A subscriber asks about key usage settings for client & server (this is
the NS cert type extension, not the other possibility). We set both for
people - in the old days in Grids, people set up one off servers with
personal certs, and so it was a "requirement". We are currently recommending
not to use NS types at all; does this need refining?
Thanks, ==mwh
More information about the caops-wg
mailing list