[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [caops-wg] Re: ca signing policy file

To: helm@xxxxxxxxxxxx
Subject: Re: [caops-wg] Re: ca signing policy file
From: David Chadwick <d.w.chadwick@xxxxxxxxxx>
Date: Mon, 10 Oct 2005 10:32:57 +0100
Cc: Von Welch <vwelch@xxxxxxxxxxxxx>, CAOPS-WG <caops-wg@xxxxxxx>,Olle Mulmo <mulmo@xxxxxxxxxx>, Joni Hahkala <joni.hahkala@xxxxxxx>,Jules Wolfrat <wolfrat@xxxxxxx>, Ron Trompert <ron@xxxxxxx>,Frank Siebenlist <franks@xxxxxxxxxxx>
Delivered-to: grdfm-caops-wg-outgoing@mailbouncer.mcs.anl.gov
Delivered-to: grdfm-caops-wg@mailbouncer.mcs.anl.gov
In-reply-to: <200510092253.j99MrZ3C010402@fionn.es.net>
Organization: University of Kent
References: <200510092253.j99MrZ3C010402@fionn.es.net>
Sender: owner-caops-wg@xxxxxxx
User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)


Mike Helm wrote:

Do I understand correctly that you are suggesting that a CA's namespace file can include rules for all of its subordinates? (These seems to be what your example implies.) I actually think I like this idea, see next comment.

This is actually in fact what the original X.509 name constraints extension was designed to do, until RFC3280 perverted it.

That's indeed what I meant. It would enable new subordinates to
"glide in" without intervention from the admin, as long as they
stay within the namespace assigned for subordinates.

Exactly. A superior CA should be able to constrain what a subordinate CA can do. Then if the subordinate CA does something different when issuing certs, then those certs wont be trusted.

You all might want to look into a sort of movement that seems to exist in some
PKIX members. I've picked up some microsoft certs recently that seem to have
AIA extensions that jump around missing links in the trust chain
(between the end entity cert you have, and the trusted issuer pre-installed
in your cert store).

Its actually worse than that. Microsoft will actually trust and validate certificates that have names that do not conform to the name constraints extension, due to the fact that RFC 3280 says that all non specified name spaces are trusted (whereas X.509 stated that they were untrusted)

Somewhere I have read a justification / method for

this but have lost track.

I am still to find a justification for this :-)


regards

David

  But there is at least one example of another variant

in a current draft in the IETF PKIX WG:

http://www.ietf.org/internet-drafts/draft-ietf-pkix-crlaia-03.txt

--

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

Follow-Ups:
- Re: [caops-wg] Re: ca signing policy file
  - From: Mike Helm

References:
- Re: [caops-wg] Re: ca signing policy file
  - From: Mike Helm

Prev by Date: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
Next by Date: Re: [caops-wg] Re: ca signing policy file
Previous by thread: Re: [caops-wg] Re: ca signing policy file
Next by thread: Re: [caops-wg] Re: ca signing policy file
Index(es):
- Date
- Thread