[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
- To: Frank Siebenlist <franks@xxxxxxxxxxx>
- Subject: Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
- From: Mike Helm <helm@xxxxxxxxxxxx>
- Date: Thu, 13 Oct 2005 10:30:21 -0700
- Cc: "Cowles, Robert D." <rdc@xxxxxxxxxxxxxxxxx>,David Chadwick <d.w.chadwick@xxxxxxxxxx>,Von Welch <vwelch@xxxxxxxxxxxxx>, "Tony J. Genovese" <tony@xxxxxx>,CAOPS-WG <caops-wg@xxxxxxx>, Olle Mulmo <mulmo@xxxxxxxxxx>,Joni Hahkala <joni.hahkala@xxxxxxx>, Jules Wolfrat <wolfrat@xxxxxxx>,Ron Trompert <ron@xxxxxxx>
- Delivered-to: grdfm-caops-wg-outgoing@mailbouncer.mcs.anl.gov
- Delivered-to: grdfm-caops-wg@mailbouncer.mcs.anl.gov
- In-reply-to: Your message of "Wed, 12 Oct 2005 21:05:31 PDT." <434DDD0B.3070605@mcs.anl.gov>
- Reply-to: helm@xxxxxxxxxxxx
- Sender: owner-caops-wg@xxxxxxx
Frank Siebenlist writes:
> With your proposed scheme, any "trusted" CA in Italy, Germany, even
> Holland..., would have the theoretical opportunity to issue a
> certificate that would impersonate the director of Berkeley, NCSA,
> Livermore, Los Alamos... and we would have no way to enforce any policy
> in real-time that could prevent it.
Of course, if you think the names in a certificate have an inherent
meaning, and you don't use the issuer in the evaluation, you are stuck.
This is the defect in the grid authentication scheme. Trying to fix
this with name constraints is backwards in my opinion.
> If this acceptable to all our end user organizations, we should happily
> adopt the web-browser trust model with paper CA policy statements... and
> I'm serious here.
Just what do you think we have now?