Skip to Content.
Sympa Menu

cacert-policy - Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC

Subject: Policy-Discussion

List archive

Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC


Chronological Thread 
  • From: "Peter Williams" <home_pw AT msn.com>
  • To: "'Policy-Discussion'" <cacert-policy AT lists.cacert.org>
  • Subject: Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC
  • Date: Mon, 20 Oct 2008 20:04:08 -0700
  • List-archive: <https://lists.cacert.org/cgi-bin/mailman/private/cacert-policy>
  • List-id: Policy-Discussion <cacert-policy.lists.cacert.org>

So this has been this way for almost 20 years (actually, 1986is the first evidence of a formal national submission, in the ISO record system).

 

Who is whining suddenly, and why?

 

The standard cross certificate model (that IS in windows, is profiled by  IETF, and _is_ actually used in windows for DoD P772 military messaging plugins) requires cross-organization certification. Windows certs tool themselves all prepare for cross certification.

 

It’s coming across as an attempt to remove cross-certification from the certain vendors systems - in concert acting as a trust. We may need a trust buster. Sounds like they are trying to turn registration authorities (for roots) into control authorities enforcing systemic policy.

 

Why now? What’s changed?

 

From: cacert-policy-bounces AT lists.cacert.org [mailto:cacert-policy-bounces AT lists.cacert.org] On Behalf Of Sam Johnston
Sent: Sunday, October 19, 2008 8:09 PM
To: Policy-Discussion
Subject: Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC

 

On Fri, Oct 17, 2008 at 5:46 AM, IanG <iang AT cacert.org> wrote:

Peter Williams wrote:
> Is a subroot simply a first- or nth-level subordinate CA chained from a root?
>
> They are contemplating removing from the registry those roots that have subordinate CAs in their trust network?

I don't think they are contemplating removing the existing ones,
exactly.  Instead, they are contemplating policies that mean it is
not allowed, or it requires additional work, or something.  What is
somewhat clear is that they are not happy with the obvious trick
that is being played;  how they deal with it is totally unclear.

 

The Mozilla debates are public and Microsoft are apparently very tight lipped about their policies (ie we know nothing about them) so perhaps those introducing it into the debate could provide references?

 

The 'trick' you refer to is the issuance of a certificate to an organisation which can be used to issue other certificates containing whatever the organisation feels like. This is essentially the status quo today - we are effectively giving orgs access to our roots to mint certificates containing whatever they like.

 

(Also, to be fair, not everyone is unhappy.  Some are happy ... and
the debate appears only to be in early stages, at least over at
Mozilla.)


Right, so it seems premature to introduce it here anyway.
 

> As that really doesn't make any sense, technically, it makes me wondering if subroot is something other than a simple subordinate CA, chained up to the root.

It is that;  the issue is not at the chaining level but at the
semantics and legal agreements level, and whether and how the
primary CA is responsible for the actions of the sub-CAs.

(At, least that's what it appears to be.  I've seen a few expressed
opinions on this and the clarity & consistency level is not high.)


Right, chaining for us is more a logical grouping of certificates and a way for us to show users that the verification is being done by someone else (albeit to an acceptable pre-approved standard). It is also significantly more secure in that organisations know that they are the only ones issuing certificates under their sub-root so they can authenticate users simply by installing their sub-root into servers without having to worry about verifying the contents (eg O= field) which is inherently dangerous.

Sam


 




Archive powered by MHonArc 2.6.16.

Top of Page