This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Previous message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Next message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Patrik Fältström
paf at cisco.com
Thu Jul 17 14:07:43 CEST 2003
On torsdag, jul 17, 2003, at 13:48 Europe/Stockholm, Randy Bush wrote:
>>> someone getting at the root CA key at an RIR
>> There would still be the very similar issue of someone getting at the
>> certificate that the RIR bought from the third party CA.
>
> no, as that would not be installed in my browser to be absolutely
> trusted.
A friend explained it like this (more people on this list might know
Dirk-Willem van Gulik).
paf
> You do have to separate completely the server->client auth and the
> client->server auth; they do not really over lap; though are rather
> identical; and traditionally shared certs. But do not have to.
>
> I.e.
>
> o The web server _may_ have a cert A.
>
> A may be signed by A or by B.
>
> o The browser talks to the web server. It may check that A
> is on a list of cert's it trusts; or that A is signed
> by a cert which is on a list of cert's its trust. Such as
> 'B'. And so on up the chain. Until it runs out or finds
> a cert it trusts.
>
> o A user _may_ have a cert C1.
>
> o That cert may be signed by C1 or by D.
>
> o A web server can deceide to ONLY allow access to people which
> have a cert it has on a list (i.e. C1, C2, C3.. ) or
> those that are signed by a cert on a list (D, ..) and
> so on up the chain. And perhaps check it is still valid
> time wise and not on a revocation list.
>
> At any point it is _easier_ if they all end up being signed by some
> root
> CA; as then you do not have to keep your own long lists (A, C1, C2, C3)
> about all the servers and clients you trust on either side. And as a
> user
> you just need a few root CA's.
>
> I.e. in the web server you need to configure
>
> -> your own cert pub and private
>
> -> and add all the pub's in your signing chain up to
> the top (as in the SSL protocol you may be asked
> for them by the client).
>
> And in order to check your clients you need
>
> -> A (list of) cert you trust, i.e. the C1..C4
> or a cert which signed C1..C4 or higher up.
>
> -> And perhaps valid/revoc lists.
>
> Likewise on the client side you need to keep
>
> -> A list of all the root CA's you ultimately trust.
>
> -> Your own client cert
>
> -> and all certs up the chain as oyu may be asked
> for it.
>
> But ultimately and over time; some of your root CA's go bad; so a user
> needs to remove them from his browser list; and ultimately you need
> to revocate so you need to keep some sort of admin lists of C1, C2..
> etc.
- Previous message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
- Next message (by thread): [db-wg] Re: [ncc-services-wg] X.509 authentication in the RIPE Database
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ db-wg Archives ]