[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: charter revisions

To: "Hallam-Baker, Phillip" <pbaker@xxxxxxxxxxxx>
Subject: Re: charter revisions
From: Steve Hanna <steve.hanna@xxxxxxx>
Date: Wed, 05 Sep 2001 16:16:27 -0400
Cc: Bob Jueneman <bjueneman@xxxxxxxxxx>, ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Sun Microsystems, Inc.
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

"Hallam-Baker, Phillip" wrote:
> > Bob Jueneman wrote:
> > > I wasn't suggesting that logos should be restricted to end-entities,
> > > I was only pointing out that such a restriction would immediately
> > > make the issue of name subordination and misuse of the logo by some
> > > intermediate CA go away.
> >
> > This isn't true. Name constraints allow me to cross certify
> > IBM's CA but
> > indicate that the only DNs it is trusted to certify are those
> > that begin
> > with "c=us, o=IBM". Even if logos are restricted to end-entities,
> > there's nothing stopping IBM's CA from placing a Sun logo in an
> > end-entity certificate. So restricting logos to end-entities doesn't
> > "make the issue of name subordination and misuse of the logo by some
> > intermediate CA go away."
> 
> I don't see this as a problem for several reasons:
> 
> 1) Logotypes have utility even if they cannot be used with
> cross-certification.

Their utility would be substantially reduced.

> 2) The security of the infrastructure depends on the DNS system and
> not the X.500 name system. The fact that the name is constrained as
> you state does not in practice affect Internet applications. It might
> affect OSI applications if any existed.

Name constraints work the same way for dNSName and rfc822Name name
forms, as well as for X.500 DNs that use the domainComponent attribute
type. I recognize that many CAs stuff DNS and rfc822 names into DNs
using the commonName or EmailAddress attribute types. This practice is
"deprecated but permitted", according to RFC 2459 and successors. Lack
of support for name constraints is one reason why.

> 3) The objection is simply a restatement of the proposition that
> 'bad things happen if you cross certify with someone who
> is not trustworthy'. This is not news.

Name constraints allow you to limit the "bad things" that happen. You
can trust MIT to certify MIT affiliates without worrying about whether
they might issue a certificate claiming to be for George W. Bush.

Most bridge CAs employ name constraints in this fashion. I recognize
that the bridge CA model (and perhaps cross-certification in general)
does not fit well with some business models, but it is quite popular in
many communities. Name constraints and other technology that supports
cross-certification and the bridge CA model are an important part of RFC
2459 and successors.

If logotypes are in fact inconsistent with cross-certification, then
they may not be suitable for use on the Internet.

> > Apparently, you haven't read the draft that serves as the
> > basis for this
> > discussion, draft-ietf-pkix-logotypes-00.txt. The suggested
> > format is a
> > message digest and a URL.
> 
> The basis for this discussion is the proposed charter ammendments.

Reading the latest Internet Draft on the topic will help avoid needless
digressions.

-Steve

References:
- RE: charter revisions
  - From: Hallam-Baker, Phillip

Prev by Date: Re: charter revisions
Next by Date: RE: Removing expired certificates from CRLs.....
Previous by thread: RE: charter revisions
Next by thread: Re: charter revisions
Index(es):
- Date
- Thread