[Pki-devel] assorted sub-CA use case questions

Fraser Tweedale ftweedal at redhat.com
Sat Apr 4 04:45:07 UTC 2015 

On Thu, Apr 02, 2015 at 10:28:12AM -0700, Christina Fu wrote:
> Hi Fraser,
> 
> please see my response in-line ...
> 
> Christina
> 
Thanks for your comments Christina.  I think unique DN is the highest
priority; the other aspects can come a bit later.

Cheers,
Fraser

> On 04/01/2015 08:47 PM, Fraser Tweedale wrote:
> >Hi Christina,
> >
> >The following questions emerged in recent discussions and work on
> >sub-CAs.  Your responses will be helpful in working out what work is
> >needed, and when.
> >
> >
> >*OCSP signing*
> >
> >Currently sub-CAs sign OCSP responses with the CA signing
> >certificate, rather than using the CA cert to sign an OCSP signing
> >cert and delegating OCSP signing to it.
> >
> >Question : do you expect customers who use sub-CAs will want to be
> >able to choose whether sub-CAs have OCSP signing delegate?  If so,
> >how fine-grained should the control be (instance-wide config,
> >per-subCA, etc?), and can this feature be deferred (i.e. is OCSP
> >signing directly by CA acceptable for initial release of sub-CAs)?
> In general, I don't think people are aware nor do they care who signs what
> as long as it works.  However, if we want to make a default choice for them,
> I think it's best if we make the right one.  For a secure site, I'd choose
> to have a separate OCSP responder with a separate ocsp signing cert, as the
> administrator of the ocsp response system would not need to have access to
> the CA's signing keys.  The separate ocsp signing cert would also allow to
> be given a shorter validity period than that of the CA.
> 
> If your target customers don't really care much about the above then
> technically, I don't see any issue -- the clients should work as long as
> your ocsp signing cert is valid.
> 
> >
> >
> >*Sub-CA DNs*
> >
> >There is currently no check that a sub-CA's DN is unique.
> >
> >Question : should we enforce CA DN uniqueness within the Dogtag
> >instance?
> yes. there exists an UniqueSubjectNameConstraint that can be used for this
> purpose.
> 
> >
> >
> >*Sub-CA certificate profile*
> >
> >Currently sub-CA certificates are created using the `caCert' profile
> >(the same profile that is used for the self-signed root
> >certificate).
> >
> >Question : how much control over aspects of the sub-CA certificates
> >will customers need or want?  (e.g. validity period,
> >pathLenConstraint, nonstandard extensions, etc).  Is using the
> >`caCert' profile defaults fine for the initial release?
> 
> I think it's fine.  As long as we provide the flexibility, they can always
> create new ones if they see fit.
> 
> >
> >
> >Look forward to your input.
> >
> >Cheers,
> >Fraser
>

More information about the Pki-devel mailing list