RE: [caops-wg] Name Constraints - attempt at framing issues
Trusted third parties that cannot be trusted!! Why are we bothering with them? Building a whole trust infrastructure on untrusted TTPs is a pointless exercise in futility.
Yes ... well, it was pointed out at the last EUgridPMA meeting that the VO's go thru almost the exact same process to register people ... so what value did the CA's provide? BC
Cowles, Robert D. wrote:
Trusted third parties that cannot be trusted!! Why are we bothering with them? Building a whole trust infrastructure on untrusted TTPs is a pointless exercise in futility.
Yes ... well, it was pointed out at the last EUgridPMA meeting that the VO's go thru almost the exact same process to register people ... so what value did the CA's provide?
Well if its a Thawte cert, precisely none. As I have said before, the purpose of a CA is to authenticate a user's right to use a claimed name, and then bind that to his public key ie. to certify the key to name binding. ie., a certification authority. It is not, I repeat not, to be a naming authority. regards David
BC
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://sec.cs.kent.ac.uk Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************
"Cowles, Robert D." writes:
them? Building a whole trust infrastructure on untrusted TTPs is a pointless exercise in futility.
Yes ... well, it was pointed out at the last EUgridPMA meeting that the VO's go thru almost the exact same process to register people ... so what value did the CA's provide?
Well, I don't know what discussion took place at the last EUGrid PMA meeting, since I was not permitted to attend by local forces, however, the choice of how VO's manage their affairs in the US is almost entirely up to them. DOEGrids certainly has some VOs who register members and issue certificates directly. Why US HE physics grids don't integrate these functions more directly I don't know. I have raised this question several times, recently with OSG, and ... nothing. Probably this is some optimization of the process that has so far remained invisible to me. Or perhaps some merge certification & integration and some don't, but it has been my impression that certification and registration were kept completely separate. Maybe the system is adequate despite its lack of esthetic appeal. Don't know.
participants (3)
-
Cowles, Robert D. -
David Chadwick -
Mike Helm