[Pki-devel] assorted sub-CA use case questions
Christina Fu
cfu at redhat.com
Thu Apr 2 17:28:12 UTC 2015
Hi Fraser,
please see my response in-line ...
Christina
On 04/01/2015 08:47 PM, Fraser Tweedale wrote:
> Hi Christina,
>
> The following questions emerged in recent discussions and work on
> sub-CAs. Your responses will be helpful in working out what work is
> needed, and when.
>
>
> *OCSP signing*
>
> Currently sub-CAs sign OCSP responses with the CA signing
> certificate, rather than using the CA cert to sign an OCSP signing
> cert and delegating OCSP signing to it.
>
> Question : do you expect customers who use sub-CAs will want to be
> able to choose whether sub-CAs have OCSP signing delegate? If so,
> how fine-grained should the control be (instance-wide config,
> per-subCA, etc?), and can this feature be deferred (i.e. is OCSP
> signing directly by CA acceptable for initial release of sub-CAs)?
In general, I don't think people are aware nor do they care who signs
what as long as it works. However, if we want to make a default choice
for them, I think it's best if we make the right one. For a secure
site, I'd choose to have a separate OCSP responder with a separate ocsp
signing cert, as the administrator of the ocsp response system would not
need to have access to the CA's signing keys. The separate ocsp signing
cert would also allow to be given a shorter validity period than that of
the CA.
If your target customers don't really care much about the above then
technically, I don't see any issue -- the clients should work as long as
your ocsp signing cert is valid.
>
>
> *Sub-CA DNs*
>
> There is currently no check that a sub-CA's DN is unique.
>
> Question : should we enforce CA DN uniqueness within the Dogtag
> instance?
yes. there exists an UniqueSubjectNameConstraint that can be used for
this purpose.
>
>
> *Sub-CA certificate profile*
>
> Currently sub-CA certificates are created using the `caCert' profile
> (the same profile that is used for the self-signed root
> certificate).
>
> Question : how much control over aspects of the sub-CA certificates
> will customers need or want? (e.g. validity period,
> pathLenConstraint, nonstandard extensions, etc). Is using the
> `caCert' profile defaults fine for the initial release?
I think it's fine. As long as we provide the flexibility, they can
always create new ones if they see fit.
>
>
> Look forward to your input.
>
> Cheers,
> Fraser
More information about the Pki-devel
mailing list