[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
- To: helm@xxxxxxxxxxxx
- Subject: Re: Name Constraints, was Re: [caops-wg] Re: ca signing policy file
- From: Frank Siebenlist <franks@xxxxxxxxxxx>
- Date: Thu, 13 Oct 2005 11:08:47 -0700
- Cc: "Cowles, Robert D." <rdc@xxxxxxxxxxxxxxxxx>,David Chadwick <d.w.chadwick@xxxxxxxxxx>,Von Welch <vwelch@xxxxxxxxxxxxx>, "Tony J. Genovese" <tony@xxxxxx>,CAOPS-WG <caops-wg@xxxxxxx>, Olle Mulmo <mulmo@xxxxxxxxxx>,Joni Hahkala <joni.hahkala@xxxxxxx>, Jules Wolfrat <wolfrat@xxxxxxx>,Ron Trompert <ron@xxxxxxx>
- Delivered-to: grdfm-caops-wg-outgoing@mailbouncer.mcs.anl.gov
- Delivered-to: grdfm-caops-wg@mailbouncer.mcs.anl.gov
- In-reply-to: <200510131730.j9DHULMc012369@fionn.es.net>
- References: <200510131730.j9DHULMc012369@fionn.es.net>
- Sender: owner-caops-wg@xxxxxxx
- User-agent: Thunderbird 1.4.1 (Macintosh/20051006)
Mike Helm wrote:
Frank Siebenlist writes:
With your proposed scheme, any "trusted" CA in Italy, Germany, even
Holland..., would have the theoretical opportunity to issue a
certificate that would impersonate the director of Berkeley, NCSA,
Livermore, Los Alamos... and we would have no way to enforce any policy
in real-time that could prevent it.
Of course, if you think the names in a certificate have an inherent
meaning,
The idea of using unique but meaningless names in the certs is a good
one, but it doesn't solve the issue really...
It definitely makes the initial vetting easier, but after you have
assigned some uuid to some key, and that key-holder happens to be the
lab director, then it is no longer a meaningless name for subsequent
authorization decisions. It then becomes important that no other CA will
issue that same uuid to the key of a different key-holder, which should
be "enforced" either by "Thy shall not..." policies or by adding the CA
somehow in the equation for real-time enforcement.
and you don't use the issuer in the evaluation, you are stuck.
This is the defect in the grid authentication scheme. Trying to fix
this with name constraints is backwards in my opinion.
Are you suggesting that we should keep the CA always with the DN for all
the authorization decisions?
(Essentially pushing the policy enforcement of name+CA to the
authorization stage and throwing-in the towel as far as the pkix/x509
global-naming dream is concerned...)
If this acceptable to all our end user organizations, we should happily
adopt the web-browser trust model with paper CA policy statements... and
I'm serious here.
Just what do you think we have now?
That is the real question then: Can the EGEE/FusionGRID/OSG/TeraGRID/???
live happily with the "Thy shall not..." model?
If so, life is easy, no need for those pesky ca signing policy files,
and let's move on...
If not, or maybe not, or sometimes not, should we move to a model where
the CAs remain in the authorization picture and asserted names should
always be considered in the context of the issuer?
-Frank.
--
Frank Siebenlist franks@mcs.anl.gov
The Globus Alliance - Argonne National Laboratory