[db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Previous message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Next message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Patrik Fältström
paf at cisco.com
Thu Jul 17 14:07:43 CEST 2003
On torsdag, jul 17, 2003, at 13:48 Europe/Stockholm, Randy Bush wrote: >>> someone getting at the root CA key at an RIR >> There would still be the very similar issue of someone getting at the >> certificate that the RIR bought from the third party CA. > > no, as that would not be installed in my browser to be absolutely > trusted. A friend explained it like this (more people on this list might know Dirk-Willem van Gulik). paf > You do have to separate completely the server->client auth and the > client->server auth; they do not really over lap; though are rather > identical; and traditionally shared certs. But do not have to. > > I.e. > > o The web server _may_ have a cert A. > > A may be signed by A or by B. > > o The browser talks to the web server. It may check that A > is on a list of cert's it trusts; or that A is signed > by a cert which is on a list of cert's its trust. Such as > 'B'. And so on up the chain. Until it runs out or finds > a cert it trusts. > > o A user _may_ have a cert C1. > > o That cert may be signed by C1 or by D. > > o A web server can deceide to ONLY allow access to people which > have a cert it has on a list (i.e. C1, C2, C3.. ) or > those that are signed by a cert on a list (D, ..) and > so on up the chain. And perhaps check it is still valid > time wise and not on a revocation list. > > At any point it is _easier_ if they all end up being signed by some > root > CA; as then you do not have to keep your own long lists (A, C1, C2, C3) > about all the servers and clients you trust on either side. And as a > user > you just need a few root CA's. > > I.e. in the web server you need to configure > > -> your own cert pub and private > > -> and add all the pub's in your signing chain up to > the top (as in the SSL protocol you may be asked > for them by the client). > > And in order to check your clients you need > > -> A (list of) cert you trust, i.e. the C1..C4 > or a cert which signed C1..C4 or higher up. > > -> And perhaps valid/revoc lists. > > Likewise on the client side you need to keep > > -> A list of all the root CA's you ultimately trust. > > -> Your own client cert > > -> and all certs up the chain as oyu may be asked > for it. > > But ultimately and over time; some of your root CA's go bad; so a user > needs to remove them from his browser list; and ultimately you need > to revocate so you need to keep some sort of admin lists of C1, C2.. > etc.
- Previous message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Next message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]