[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [caops-wg] Name Constraints - attempt at framing issues

To: "Cowles, Robert D." <rdc@xxxxxxxxxxxxxxxxx>
Subject: Re: [caops-wg] Name Constraints - attempt at framing issues
From: David Chadwick <d.w.chadwick@xxxxxxxxxx>
Date: Fri, 14 Oct 2005 15:15:45 +0100
Cc: Von Welch <vwelch@xxxxxxxxxxxxx>, CAOPS-WG <caops-wg@xxxxxxx>
Delivered-to: grdfm-caops-wg-outgoing@mailbouncer.mcs.anl.gov
Delivered-to: grdfm-caops-wg@mailbouncer.mcs.anl.gov
In-reply-to: <A34E01EABE96174A81D754F98FC574E801673A33@exch-mail4.win.slac.stanford.edu>
Organization: University of Kent
References: <A34E01EABE96174A81D754F98FC574E801673A33@exch-mail4.win.slac.stanford.edu>
Sender: owner-caops-wg@xxxxxxx
User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)


Cowles, Robert D. wrote:

1) What CAs do we wish to consider as potential issuers for our community? Is it just "Grid CAs" (by that I mean CA we can reasonably except to adhere to best practices as specified by GGF WGs) or do we want to also consider CAs that we have no reasonable expectation of being able to impact their policies or procedures (e.g. commercial CAs) as potential issuers for our community as well?

I think that if we are successful, all this will be used in ways
we can't now imagine or, in the future, control. To me, the idea of depending on CA's to issue certificates for DNs that are globally
unique is just asking for trouble.

Trusted third parties that cannot be trusted!! Why are we bothering with them? Building a whole trust infrastructure on untrusted TTPs is a pointless exercise in futility.

regards

David

Administrative controls to

keep the namespaces separate are clearly not good enough. The signing
policy file is a technical control but it still seems pretty weak.
To me, the thing that is unique is (DN + CA) and the function of the
CA is to try it's best to not issue a cert with the same DN to different people. I would be happy if they can do just that and I
think it unreasonable to believe that the DN is unique in the universe (or even a small section thereof). The signing policy
files basically allow us to say - given this DN, it should have been
issued by that CA - and as far as I can see, it's because the CA
is't stored in the gridmapfile (and maybe it's not there because
the DN was suppoed to be unique - but that was8-10 years ago, and
we know better now).

2) Do we believe that during normal operation the CAs indicated in the response to the first question have policy that will result in their issuing globally unique names and will reliably follow that policy?

I think it's not true in "normal operation" and that any moderately talented attacker would be able to generate a condition outside
of "normal operations" and get *someone* to issue a certificate
with any DN they chose.

3) If a CA is compromised, given currently implementations, this will
(my comments here were in an earlier email).

--

*****************************************************************
David W. Chadwick, BSc PhD
Professor of Information Systems Security
The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
Tel: +44 1227 82 3221
Fax +44 1227 762 811
Mobile: +44 77 96 44 7184
Email: D.W.Chadwick@kent.ac.uk
Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
Research Web site: http://sec.cs.kent.ac.uk
Entrust key validation string: MLJ9-DU5T-HV8J
PGP Key ID is 0xBC238DE5

*****************************************************************

Follow-Ups:
- Re: [caops-wg] Name Constraints - attempt at framing issues
  - From: Von Welch

References:
- RE: [caops-wg] Name Constraints - attempt at framing issues
  - From: Cowles, Robert D.

Prev by Date: Re: [caops-wg] Name Constraints - attempt at framing issues
Next by Date: Re: [caops-wg] Name Constraints - attempt at framing issues
Previous by thread: RE: [caops-wg] Name Constraints - attempt at framing issues
Next by thread: Re: [caops-wg] Name Constraints - attempt at framing issues
Index(es):
- Date
- Thread