Re: [IETF-PKIX] Terminology - Cross-Certification

[Warwick Ford <wford@xxxxxxxxxxxx>]

Bob:

I think I read you as essentially supporting my (3) option, i.e.:
(3) Issuance of a certificate by a CA in one organization to a CA in
another organization.  (You might substitute "domain" for "organization".)

Is this fair?  (If not pls propose a 1-sentence alternative.)

Warwick



At 01:05 PM 12/16/97 -0700, Bob Jueneman wrote:
>I agree with the thrust of Al's comments, but would like to throw in an
>additional comment.
>
>To me, the primary difference between a hierarchical and a peer relationship
>between CA's is not the network topology, but rather the degree of
>legal/policy control and the (partial) assumption of liability for the
>actions of the subordinate CAs.
>
>If I am operating a corporate level CA for XYZ Corp,  I might choose to go
>to a public CA such as VeriSign, GTE, etc., in order to have my CA's
>certificate signed by a recognized root key.  (Sooner or later, users are
>going to start to rebel about the number of root keys that browser vendors
>are gratuitously including in their software, and then maybe some order will
>arise from the current chaos.)
>
>As a condition for having my corporate certificate listed under say GTE's
>master certificate, I would expect that I would have to sign a binding
>agreement concerning policy, perhaps including auditing and other oversight
>functions which are intended to protect relying parties and the root CA from
>undue liability.
>
>I would also expect that a condition of receiving a certificate from GTE,
>there would be obligatory, contractual flowdown requirements that would
>govern whether or not my top-level corporate CA could issue certificates to
>subordinate CAs within my organization, and if so what policies and policy
>OIDs would be incorporated.
>
>Now, what does it mean if two top-level CAs cross-certify each other.  Does
>it mean that each will accept full financial liability for the other's
>errors and omissions, or for the failure of any of their subordinate CA's
>particular failures?  Not bloody likely!
>
>Instead, I believe that the primary use of cross-certification will be to
>ACCREDIT other CAs, in the sense of an ADVISORY rating service.  Is the
>German government going to undertake any liability for what VeriSign does?
>No.  But on the other hand, they might well represent to German consumers
>that VeriSign is a well-recognized CA, and appears to meet certain accepted
>standards of behavior with respect to their internal operations, auditing,
>and other controls. Likewise, VeriSign might cross-certify the German
>Government's CA, but without taking any responsibility for their actions.
>The differences in the legal regimes makes it very unlikely that any legal
>obligations will flow between the CAs.
>
>In the case that someone mentioned, The University of Maryland might either
>unilaterally or bilaterally certify Purdue, but again that will only imply
>that Maryland recognizes Purdue as a bona fide institution that conforms to
>a reasonable set of practices, but it would not imply any contractual or
>other liability relationship between the two institutions.
>
>In my mind, therefore, cross-certification is very much like a Standard and
>Poor's bond rating service, or maybe just a Dun and Bradstreet confirmation
>that a company exists and seems to meet the minimum criteria.  If VeriSign
>cross-certifies Billy Bob's CA and Bait Shoppe as a legitimate CA when they
>are obviously not legitimate, VeriSign might very well expect to get sued.
>But if Billy Bob is in fact a reasonably competent CA that only occasionally
>fails to exercise due diligence in issuing certificates, relying parties
>should expect to go against Billy Bob, and not VeriSign.  VeriSign completed
>their responsibility when they ascertained that Billy Bob was properly
>incorporated and had at least the trappings of a viable commercial service,
>but they should not be expected to cross-insure Billy Bob's operation.
>
>I would therefore disagree slightly with Al's comments in one particular
>area, where he says:
>
>>This contrasts with a peer-based architecture, in which one CA
>essentially tells another one "I'll accept your certificates if they
>have the following properties.  What else you do is your own business; I
>won't interfere, but things that interwork with my users must have the
>following properties."  The degree of control is much less.
>
>CA's don't accept other CA's certificates, at least normally -- relying
>parties accept certificates.  So the degree of control is even less that Al
>intimates. On the other hand, if the IT or MIS department of some
>organization essentially dictates to its users what kind of certificates are
>to be considered acceptable, then cross-certification may be a way of
>controlling that. But outside of the military I would expect that kind of
>operation to be the exception rather than the norm.
>
>Bob
>
>
>
>Robert R. Jueneman
>Security Architect
>Novell, Inc.
>Network Services Division
>122 East 1700 South
>Provo, UT 84604
>801/861-7387
>bjueneman@novell.com
>
>"If you are trying to get to the moon, climbing a tree,
>although a step in the right direction, will not prove
>to be very helpful."
>
>"The most dangerous strategy is to cross the chasm in two leaps."
>
>
---------------------------------------------------------------------
Warwick Ford, VeriSign, Inc., One Alewife Center, Cambridge, MA 02140
   wford@verisign.com; Tel: (617)492 2816 x225; Fax: (617)661 0716
---------------------------------------------------------------------