Frank Siebenlist wrote:
Sorry, but I have to disagree strongly.
Having no name constraints and letting any CA issue any name it wants, puts all your trusted CAs on equal footing concerning the names they issue: any CA can overstep its policy boundaries concerning the issued names and you have no way to find out.
Frank if the names are completely unique random numbers (such as a hash of a public key), then I dont see your problem with a CA overstepping the boundaries. Can you be more specific about what the problem is. A CA is a certification authority, not a naming authority. The purpose of a CA is to bind a name to the public key. The CA should not be responsible for allocating the name, only authenticating that the user has the right to use the globally unique name it claims. If the name is a hash of the public key, then anyone can claim this right through POP. If the name is based on a passport of SS number or email address then the CA can authenticate this. In this type of scenario name constraints are not that useful. They can be introduced if you want to say things like only the US CA can issue certs based on US passport numbers. One of the ways that PKIX went wrong was by giving the CA the naming authority role as well as the certification role, because it reduced the liability of the CA (it did not have to do a full job anymore). regards David
Some form of enforced name constraining policy or localizing the name-issuing to a CA is the only safeguard you have against any rogue CA among the zillions that may be present in your trusted CA-directory.
Wasn't that the main reason that we have our current ca signing policy files in the first place? Did I miss anything?
-Frank.
Mike Helm wrote:
"Cowles, Robert D." writes:
that the middleware includes a check of the CA when it compares on DN, then what you say is correct.
This is one of the essential problems with this service that has never been addressed as far as I know. name constraints "be" an incomplete barrier.
BTW, we have found this omission _useful_ in our past.
We switched from a test, development lab CA (DOE Science Grid) to a production quality CA (doegrids), and we used this property to ease subscribers' transition to the new CA. Lesson? Overlapping name spaces might be useful!
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://sec.cs.kent.ac.uk Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************