Hi Olle, Olle Mulmo wrote:
... The last point ("make validation...") is too vaguely stated. Any certificate in the chain implies that the RP should honor arbitrarily Policy OIDs embedded in self-issued proxy certs. I suggest narrowing this down to EE and sub-CA certs for now.
Agreed. In a practical implementation, though, I would suggest that the policy allows a set of ranges of policy OIDs from a specific issuer, and that that range is configurable independently for each issuer or group of issuers. E.g. * from "The Banana CA" * allow only EE certs with oids 1.2.840.113612.5.2.3.1.99.(2-3,7).* (and maybe denial as well, although that will surely be a hot topic :-) To indicate only those EE certificates with the additional policy statements that the private key is stored in a peach(2), a pineapple(3) or an orange(7) or in any subspiecies thereof.
You could add another wishlist item that middleware providers should honor the same configuration syntax that controls the OID set and namespace constraints... (and the CAOPS group should quickly find volunteers that nail down that syntax).
Kind-of agree as well. Same syntax for all middlewares is certainly needed, a common (and simple) syntax for expressing RP-namespace constraints and OID constraints would be nice, but hard... Cheers, DavidG. -- David Groep ** National Institute for Nuclear and High Energy Physics, PDP/Grid group ** ** Room: H1.56 Phone: +31 20 5922179, PObox 41882, NL-1009DB Amsterdam NL **