Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file

[Frank Siebenlist <franks@xxxxxxxxxxx>]

Sorry, but I have to disagree strongly.

Having no name constraints and letting any CA issue any name it wants, 
puts all your trusted CAs on equal footing concerning the names they 
issue: any CA can overstep its policy boundaries concerning the issued 
names and you have no way to find out.

Some form of enforced name constraining policy or localizing the 
name-issuing to a CA is the only safeguard you have against any rogue CA 
among the zillions that may be present in your trusted CA-directory.

Wasn't that the main reason that we have our current ca signing policy 
files in the first place?
Did I miss anything?

-Frank.


Mike Helm wrote:
> "Cowles, Robert D." writes:
>   
> > that the middleware includes a check of the CA when it compares
> > on DN, then what you say is correct.
> >     
> This is one of the essential problems with this service that
> has never been addressed as far as I know.  name constraints
> "be" an incomplete barrier.
>
> BTW, we have found this omission _useful_ in our past.
>
> We switched from a test, development lab CA (DOE Science Grid) to a production
> quality CA (doegrids), and we used this property to ease subscribers'
> transition to the new CA.  Lesson?  Overlapping name spaces
> might be useful!
>
>   
--
Frank Siebenlist               franks@mcs.anl.gov
The Globus Alliance - Argonne National Laboratory