[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Questions regarding RAs

To: <ietf-pkix@xxxxxxx>
Subject: Questions regarding RAs
From: "Aniruddha Shrotri" <ani@xxxxxxxxxx>
Date: Tue, 16 Feb 1999 14:22:31 -0000
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

Hi all,

I have some questions related to Registration Authorities (RAs), variously
referred to as LRAs, ORAs, registration agents in various parts of the PKIX
suite of drafts and falls under the PKI Management entities category:


1. In the model where a CA is serving several RAs which in turn are serving
several EEs each, are there any formal ways for the CA to divide the
name-space between the RAs ? In case of CA hierarchies, the old PEM model
used a strictly hierarchical structure even for name-spaces, i.e., the DN of
a subordinate CA had to be strictly in the subtree with the parent CA as the
root of that subtree, and similarly, the EEs' DN had to be in the subtree
under the penultimate CA. Later, in the current standards, this was amended
to use Name Space constraints. The parent CA can use Name Space constraint
extension to limit the scope of a subordinate CA. However, this extension is
currently defined only for a CA certificate. Would it make sense to use this
extension for an RA certificate ? Or is the division of name-space between
RAs a local implementation matter ?



2. Continuing on name-space issue, Section 5.1.2 of PKIX RoadMap says:

"Suppose for example that a rootCA is established with DN "O=IETF,
OU=PKIX, CN=PKIX_CA". That CA will then issue certificates for names
subordinate to it."

Is this strictly true ? Is the CA required to issue certificates *only* for
names subordinate to it ? This will be true only if the Name constraints in
the CA's cert mention this DN in the included subtrees. In general, there
need not be any relation between the CAs DN and the DN of the EEs that it
is certifying. If it is there, it will only be a local policy /
implementation issue and not an issue which standards should enforce.


3. How does one figure out from an EE's cert which RA it belongs to ? Is
this even a requirement ? What bearing does the current thread of discussion
"Finding PKIX Servers" have on this question, considering that the EEs will
typically consider the RAs as their PKIX Server.




4. What purpose does a "hierarchy" of RAs serve ? Particularly, considering
that the "hierarchy" of RAs would have no relation to the trust hierarchy.
That is, is it reasonable to have an architecture where an RA registers
not only end entities (EEs) but other RAs ? CMC allows for such a thing and
other parts of PKIX drafts do not preclude it. It does have some utility for
distributing the proofing and registration responsibilities. But couldn't
same purpose be served by having additional RAs at the same level ?



5. Does it make sense for a top level RA to be under multiple CAs ? This
certainly is indicated as a possibility in section 1.2.3 of CMP. In this
case, how does the RA route the cert request it gets from an end entity
to the appropriate CA ?



I have tried to look at the mailing list archives to see if these issues
were discussed before, but could not find any definitive references. It is
possible that I might have missed some threads and I apologize in advance if
that indeed has happened.


Thanks

Ani

----------------------------------------------
Aniruddha P. Shrotri (ani)
Director Engineering, E-Lock Technologies Inc.
----------------------------------------------

Follow-Ups:
- Re: Questions regarding RAs
  - From: Al Arsenault

Prev by Date: Re: Usage of CRL Issuing Distribution Point
Next by Date: Validation of Electronic Signatures
Previous by thread: Appropo finding X.509 Names
Next by thread: Re: Questions regarding RAs
Index(es):
- Date
- Thread