[caops-wg] Requirements and rationale for Relying Party Defined Namespace Constraints (signing_policy file)

David Chadwick d.w.chadwick at kent.ac.uk
Sat Mar 1 08:09:57 CST 2008 

Hi David

I think this document is fundamentally flawed. This is either because it 
reflects the grid security infrastructure which is fundamentally flawed, 
or the document does not and therefore is in error. I refer to the sentence:

As many grid authentication and authorization decisions based on X.509 
credentials currently only use the subject distinguished name for 
decision making


This is in effect saying that the CA is the SOA and there is no 
difference between authn and authz. Authn and Authz operate at the same 
level of granularity. There are no authz certificates, only PKI certs. 
This is the first fundamental flaw. This must be a flaw in the grid 
architecture and not in the operation of CAs. But you seem to be placing 
the responsibility for your merging of authn and authz on the CAs, and 
blaming them for this.

This first flaw naturally leads into the second fundamental flaw.

The next issue is that what you are really wanting to ensure is that the 
correct biological entity has access to a grid resource. This entity can 
be given one or more globally unique DNs. Further, there is nothing to 
stop several CAs giving certificates to the same biological entity and 
using the same DN. If the entity can prove possession of that DN (e.g. 
based on passport number) then it is OK for multiple CAs to issue certs 
in the same DN. After all, all the CAs should be doing is authenticating 
the user. Your current draft forbids this, which again is a fundamental 
flaw, probably because authn is tightly bound to authz. However, this 
might be because many CAs are flawed and do not do what they are 
supposed to, which is authenticate the user and his right to use a 
specific DN. If the CA behaves correctly you have nothing to worry 
about. If it does not, then you are correct to worry. If the same DN can 
be given to two different biological entities by the same or different 
CAs, then you have a big (unsurmountable) problem. Your entire 
infrastructure is unreliable since your authentication mechanism is 
unreliable. Even OpenID does not suffer from this problem. You might not 
know who the other person is with OpenID, but for sure you know that two 
different people cannot have the same OpenID. Perhaps you should 
consider switching to OpenID as your authentication mechanism. OpenID 
with a strong authorisation mechanism will be far preferrable to what 
you have today.

regards

David





David Groep wrote:
> Dear all,
> 
> The rationale for the signing policy file, expressing Relying Party Defined
> Namespace Constraints, has been documented in a CAOPS-WG draft document. 
> This
> document is now nearing completion, but as its baseline is now more than 
> two
> years old, we feel that the list of requirements on the signing policy
> language expressed in that document may no longer be up to date.
> 
> As we discussed in the CAOPS WG, we have updated the document and now 
> invite
> our major relying parties and middleware providers explicitly to comment on
> this document. Dave (JSPG), Christoph (MWSG) and Frank (Globus), can you
> forward this as appropriate?
> 
> The latest document draft is at:
> 
>   https://forge.gridforum.org/sf/go/doc4857
>   (PDF version attached)
> 
> and is really, really, small.
> 
> We like to complete this document well before the Barcelona OGF in May, so
> your timely feedback is really, really welcome. And since the doc is 
> small...
> 
>     Thanks,
>     DavidG.
> 
> PS: We will also ask to "end-user" relying parties via the IGTF and 
> EUGridPMA
> announcement newsletter.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
>   caops-wg mailing list
>   caops-wg at ogf.org
>   http://www.ogf.org/mailman/listinfo/caops-wg

-- 

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Skype Name: davidwchadwick
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick at kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://www.cs.kent.ac.uk/research/groups/iss/index.html
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

More information about the caops-wg mailing list