RE: [caops-wg] Name Constraints - attempt at framing issues
1) What CAs do we wish to consider as potential issuers for our community? Is it just "Grid CAs" (by that I mean CA we can reasonably except to adhere to best practices as specified by GGF WGs) or do we want to also consider CAs that we have no reasonable expectation of being able to impact their policies or procedures (e.g. commercial CAs) as potential issuers for our community as well?
I think that if we are successful, all this will be used in ways we can't now imagine or, in the future, control. To me, the idea of depending on CA's to issue certificates for DNs that are globally unique is just asking for trouble. Administrative controls to keep the namespaces separate are clearly not good enough. The signing policy file is a technical control but it still seems pretty weak. To me, the thing that is unique is (DN + CA) and the function of the CA is to try it's best to not issue a cert with the same DN to different people. I would be happy if they can do just that and I think it unreasonable to believe that the DN is unique in the universe (or even a small section thereof). The signing policy files basically allow us to say - given this DN, it should have been issued by that CA - and as far as I can see, it's because the CA is't stored in the gridmapfile (and maybe it's not there because the DN was suppoed to be unique - but that was8-10 years ago, and we know better now).
2) Do we believe that during normal operation the CAs indicated in the response to the first question have policy that will result in their issuing globally unique names and will reliably follow that policy?
I think it's not true in "normal operation" and that any moderately talented attacker would be able to generate a condition outside of "normal operations" and get *someone* to issue a certificate with any DN they chose.
3) If a CA is compromised, given currently implementations, this will
(my comments here were in an earlier email).
Cowles, Robert D. wrote:
1) What CAs do we wish to consider as potential issuers for our community? Is it just "Grid CAs" (by that I mean CA we can reasonably except to adhere to best practices as specified by GGF WGs) or do we want to also consider CAs that we have no reasonable expectation of being able to impact their policies or procedures (e.g. commercial CAs) as potential issuers for our community as well?
I think that if we are successful, all this will be used in ways we can't now imagine or, in the future, control. To me, the idea of depending on CA's to issue certificates for DNs that are globally unique is just asking for trouble.
Trusted third parties that cannot be trusted!! Why are we bothering with them? Building a whole trust infrastructure on untrusted TTPs is a pointless exercise in futility. regards David Administrative controls to
keep the namespaces separate are clearly not good enough. The signing policy file is a technical control but it still seems pretty weak. To me, the thing that is unique is (DN + CA) and the function of the CA is to try it's best to not issue a cert with the same DN to different people. I would be happy if they can do just that and I think it unreasonable to believe that the DN is unique in the universe (or even a small section thereof). The signing policy files basically allow us to say - given this DN, it should have been issued by that CA - and as far as I can see, it's because the CA is't stored in the gridmapfile (and maybe it's not there because the DN was suppoed to be unique - but that was8-10 years ago, and we know better now).
2) Do we believe that during normal operation the CAs indicated in the response to the first question have policy that will result in their issuing globally unique names and will reliably follow that policy?
I think it's not true in "normal operation" and that any moderately talented attacker would be able to generate a condition outside of "normal operations" and get *someone* to issue a certificate with any DN they chose.
3) If a CA is compromised, given currently implementations, this will
(my comments here were in an earlier email).
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://sec.cs.kent.ac.uk Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************
David, I think part of the issue here is that trust is not binary. I trust a CA to do certain things. The reason why we are discussing Name Constraints is that they are a way to express the limitations of that trust. Von On Oct 14, 2005, at 9:15 AM, David Chadwick wrote:
Cowles, Robert D. wrote:
1) What CAs do we wish to consider as potential issuers for our community? Is it just "Grid CAs" (by that I mean CA we can reasonably except to adhere to best practices as specified by GGF WGs) or do we want to also consider CAs that we have no reasonable expectation of being able to impact their policies or procedures (e.g. commercial CAs) as potential issuers for our community as well?
I think that if we are successful, all this will be used in ways we can't now imagine or, in the future, control. To me, the idea of depending on CA's to issue certificates for DNs that are globally unique is just asking for trouble.
Trusted third parties that cannot be trusted!! Why are we bothering with them? Building a whole trust infrastructure on untrusted TTPs is a pointless exercise in futility.
regards
David
Administrative controls to
keep the namespaces separate are clearly not good enough. The signing policy file is a technical control but it still seems pretty weak. To me, the thing that is unique is (DN + CA) and the function of the CA is to try it's best to not issue a cert with the same DN to different people. I would be happy if they can do just that and I think it unreasonable to believe that the DN is unique in the universe (or even a small section thereof). The signing policy files basically allow us to say - given this DN, it should have been issued by that CA - and as far as I can see, it's because the CA is't stored in the gridmapfile (and maybe it's not there because the DN was suppoed to be unique - but that was8-10 years ago, and we know better now).
2) Do we believe that during normal operation the CAs indicated in the response to the first question have policy that will result in their issuing globally unique names and will reliably follow that policy?
I think it's not true in "normal operation" and that any moderately talented attacker would be able to generate a condition outside of "normal operations" and get *someone* to issue a certificate with any DN they chose.
3) If a CA is compromised, given currently implementations, this will
(my comments here were in an earlier email).
--
***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://sec.cs.kent.ac.uk Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5
*****************************************************************
On Oct 14, 2005, at 11:21 AM, Von Welch wrote:
The reason why we are discussing Name Constraints is that they are a way to express the limitations of that trust.
I agree with this point of view. It is not actually far from that expressed by David Chadwick (although I have some reservations about some of the points about time of day restrictions, etc.), and is close to the "real world" issue: if you have verified your identity enough to be allowed access to a building, for example, you may not be allowed into the more restricted areas of that building without stronger proof: a physical key, or passcode, etc. At any given level of entry, the security measure you use may not apply to earlier levels of entry, even though it is "stronger" than what got you in initially. I still think we need a proposal for an authentication profile that is built ahead of time to fit the idea that further trust might be established through the authorization framework, i.e. by name constraints, etc., as a further measure beyond initial authentication. This would be a different profile than the ones that we have on the books to date, although some ideas from using it might trickle back to the original ones. Alan ==================================================================== : Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 : : e-mail: Alan.Sill@ttu.edu ph. 806-742-4350 fax 806-742-4358 : ====================================================================
Cowles, Robert D. wrote:
1) What CAs do we wish to consider as potential issuers for our community? Is it just "Grid CAs" (by that I mean CA we can reasonably except to adhere to best practices as specified by GGF WGs) or do we want to also consider CAs that we have no reasonable expectation of being able to impact their policies or procedures (e.g. commercial CAs) as potential issuers for our community as well?
I think that if we are successful, all this will be used in ways we can't now imagine or, in the future, control. To me, the idea of depending on CA's to issue certificates for DNs that are globally unique is just asking for trouble. Administrative controls to keep the namespaces separate are clearly not good enough. The signing policy file is a technical control but it still seems pretty weak. To me, the thing that is unique is (DN + CA) and the function of the
Bob dont you think it is a little optimistic to assume that a TTP that cannot be trusted to issue unique names to its clients, can be trusted to get a unique name for itself? regards David
CA is to try it's best to not issue a cert with the same DN to different people. I would be happy if they can do just that and I think it unreasonable to believe that the DN is unique in the universe (or even a small section thereof). The signing policy files basically allow us to say - given this DN, it should have been issued by that CA - and as far as I can see, it's because the CA is't stored in the gridmapfile (and maybe it's not there because the DN was suppoed to be unique - but that was8-10 years ago, and we know better now).
2) Do we believe that during normal operation the CAs indicated in the response to the first question have policy that will result in their issuing globally unique names and will reliably follow that policy?
I think it's not true in "normal operation" and that any moderately talented attacker would be able to generate a condition outside of "normal operations" and get *someone* to issue a certificate with any DN they chose.
3) If a CA is compromised, given currently implementations, this will
(my comments here were in an earlier email).
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://sec.cs.kent.ac.uk Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************
participants (4)
-
Alan Sill -
Cowles, Robert D. -
David Chadwick -
Von Welch