[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Antwort: Re: Certificate Policies (was Re: Trivial PKI Question)





Maybe I got your point: certificate policies are useless without agreement
on the meaning of specific policy-OIDs and it is hard to establish such a
meaning in most cases.

However, not in all cases. The way europe deals with qualified signatures
looks like an issue where the certificate policy extension may be useful.
One may look at the EU directive on qualified signatures and the various
national laws implementing the directive in the member states as
standardized policies, granting certain features to a relying party. E.g.
the EU directive grants to a relying party that the private key is well
protected on a secure device and that the issuer of the certificate is
liable for the correctness of the content of the certificate and you can
identify uniquely a person related to the certificate and so on. The german
signature law grants all this and furthermore that electronic documents
carrying a qualified signature are treated as strong evidence in a german
court in almost the same way a written contract on paper is. So if a
relying party is interested in obtaining electronic documents that it may
use later like contracts it will ask for those features. It can do so by
checking for the presence of a standardized policy-OID.

A certificate policy extension with a standardized OID in it grants
specific features. Multiple policy extensions may grant different features
which is fine as long as those features are not in contradiction to each
other. A proper way to use certificate policy extension within the european
framework of qualified signatures would be to insert an identifier for
"adhering to the EU-directive" (ETSI did define one) and an additional
identifier for "adhering to the xyz member state law on this" (in Germany
an OID for this is defined).  So a relying party can ask for qualified
certificates in general or for qualified certificates with special
additional features as granted by national law. One can say it can ask for
a "car" or ask for a "green car". Looking more closely at it one may as
well use the tree-like organization of OIDs to construct policy-OIDs in an
OOP-like manner.

Of course the RP still has to decide which CAs to accept or not and
configure its trusted certificate repository accordingly. So if the RP is
interested in obtaining qualified signatures it may as well do this by
applying marks to the CAs stored in its trusted certificate repository, as
long as there is one-to-one relationship between a trusted CA key and a
policy. However I believe that proper usage of standardized policy-OID by
CAs would reduce the amount of configuration work at relying parties and
may help to avoid catch 22s in some cases.

Conclusion: a certificate policy extension is useful if standardized
policy-OIDs do exist .



                                                                                                                                        
                      "Anders Rundgren"                                                                                                 
                      <anders.rundgren@         An:      "Steve Hanna" <steve.hanna@xxxxxxx>                                            
                      telia.com>                Kopie:   "Santosh Chokhani" <chokhani@xxxxxxxxxxxx>, <chris.gilbert@xxxxxxxxxxxxx>,     
                      Gesendet von:             <ietf-pkix@xxxxxxx>                                                                     
                      owner-ietf-pkix@m         Thema:   Re: Certificate Policies (was Re: Trivial PKI Question)                        
                      ail.imc.org                                                                                                       
                                                                                                                                        
                                                                                                                                        
                      13.03.2003 08:04                                                                                                  
                                                                                                                                        
                                                                                                                                        





Steve,
As PKI is too complex not only for IS-departments, but
even for [all of] us who claim we are experts on the subject,
I only take out one item, although a "favorite" :-)

>> - What do these policies imply (function: web-server/e-mail or
>>   legal: hi-value/lo-value)? This is IMO a pretty broken part
>>   of  policy extensions.  And very hard to "repair" as well

>As RFC 2527 and X.509 say, a certificate policy typically
>"indicates the applicability of a certificate to a particular
>community and/or class of application with common security
>requirements." Among other things, it might say what applications
>the certificate can be used for or what warranties are provided.
>So both "function" and "legal", in your terms.

>Could you elaborate on why you think this is broken?

Regardless of what I think of policy extensions I would
never mix information that does not belong to each other.
This is semantic overloading (AKA "smart" coding).
It _seems_ like a revision in "legal" would affect "function"
as well, as they are expressed as a single object.   This is
what I, while wearing my system architect cap, would
characterize as "broken beyond repair".

If I'm wrong here please pardon me, I do not claim to be
an expert in _this_ particular area of PKI.

Anders