About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database

  • To: Randy Bush < >
  • From: Patrik Fältström < >
  • Date: Thu, 17 Jul 2003 14:07:43 +0200
  • Cc: Joao Damas < >
    Jan Meijer < >
On torsdag, jul 17, 2003, at 13:48 Europe/Stockholm, Randy Bush wrote:


someone getting at the root CA key at an RIR

There would still be the very similar issue of someone getting at the
certificate that the RIR bought from the third party CA.

no, as that would not be installed in my browser to be absolutely
trusted.
A friend explained it like this (more people on this list might know Dirk-Willem van Gulik).

paf

You do have to separate completely the server->client auth and the
client->server auth; they do not really over lap; though are rather
identical; and traditionally shared certs. But do not have to.

I.e.

o The web server _may_ have a cert A.

A may be signed by A or by B.

o The browser talks to the web server. It may check that A
is on a list of cert's it trusts; or that A is signed
by a cert which is on a list of cert's its trust. Such as
'B'. And so on up the chain. Until it runs out or finds
a cert it trusts.

o A user _may_ have a cert C1.

o That cert may be signed by C1 or by D.

o A web server can deceide to ONLY allow access to people which
have a cert it has on a list (i.e. C1, C2, C3.. ) or
those that are signed by a cert on a list (D, ..) and
so on up the chain. And perhaps check it is still valid
time wise and not on a revocation list.

At any point it is _easier_ if they all end up being signed by some root
CA; as then you do not have to keep your own long lists (A, C1, C2, C3)
about all the servers and clients you trust on either side. And as a user
you just need a few root CA's.

I.e. in the web server you need to configure

-> your own cert pub and private

-> and add all the pub's in your signing chain up to
the top (as in the SSL protocol you may be asked
for them by the client).

And in order to check your clients you need

-> A (list of) cert you trust, i.e. the C1..C4
or a cert which signed C1..C4 or higher up.

-> And perhaps valid/revoc lists.

Likewise on the client side you need to keep

-> A list of all the root CA's you ultimately trust.

-> Your own client cert

-> and all certs up the chain as oyu may be asked
for it.

But ultimately and over time; some of your root CA's go bad; so a user
needs to remove them from his browser list; and ultimately you need
to revocate so you need to keep some sort of admin lists of C1, C2.. etc.
  • Post To The List:
<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | © RIPE Community. All rights reserved.
RIPE.NET Homepage LIR Portal RIPE Community