[Pki-devel] assorted sub-CA use case questions

Fraser Tweedale ftweedal at redhat.com
Wed Apr 8 08:07:15 UTC 2015 

On Sat, Apr 04, 2015 at 02:45:07PM +1000, Fraser Tweedale wrote:
> On Thu, Apr 02, 2015 at 10:28:12AM -0700, Christina Fu wrote:
> > Hi Fraser,
> > 
> > please see my response in-line ...
> > 
> > Christina
> > 
> Thanks for your comments Christina.  I think unique DN is the highest
> priority; the other aspects can come a bit later.
> 
> Cheers,
> Fraser
> 
I filed tickets for the OCSP delegation[1] and sub-CA certificate
profiles[2].

[1] https://fedorahosted.org/pki/ticket/1337
[2] https://fedorahosted.org/pki/ticket/1338

> > On 04/01/2015 08:47 PM, Fraser Tweedale wrote:
> > >Hi Christina,
> > >
> > >The following questions emerged in recent discussions and work on
> > >sub-CAs.  Your responses will be helpful in working out what work is
> > >needed, and when.
> > >
> > >
> > >*OCSP signing*
> > >
> > >Currently sub-CAs sign OCSP responses with the CA signing
> > >certificate, rather than using the CA cert to sign an OCSP signing
> > >cert and delegating OCSP signing to it.
> > >
> > >Question : do you expect customers who use sub-CAs will want to be
> > >able to choose whether sub-CAs have OCSP signing delegate?  If so,
> > >how fine-grained should the control be (instance-wide config,
> > >per-subCA, etc?), and can this feature be deferred (i.e. is OCSP
> > >signing directly by CA acceptable for initial release of sub-CAs)?
> > In general, I don't think people are aware nor do they care who signs what
> > as long as it works.  However, if we want to make a default choice for them,
> > I think it's best if we make the right one.  For a secure site, I'd choose
> > to have a separate OCSP responder with a separate ocsp signing cert, as the
> > administrator of the ocsp response system would not need to have access to
> > the CA's signing keys.  The separate ocsp signing cert would also allow to
> > be given a shorter validity period than that of the CA.
> > 
> > If your target customers don't really care much about the above then
> > technically, I don't see any issue -- the clients should work as long as
> > your ocsp signing cert is valid.
> > 
> > >
> > >
> > >*Sub-CA DNs*
> > >
> > >There is currently no check that a sub-CA's DN is unique.
> > >
> > >Question : should we enforce CA DN uniqueness within the Dogtag
> > >instance?
> > yes. there exists an UniqueSubjectNameConstraint that can be used for this
> > purpose.
> > 
> > >
> > >
> > >*Sub-CA certificate profile*
> > >
> > >Currently sub-CA certificates are created using the `caCert' profile
> > >(the same profile that is used for the self-signed root
> > >certificate).
> > >
> > >Question : how much control over aspects of the sub-CA certificates
> > >will customers need or want?  (e.g. validity period,
> > >pathLenConstraint, nonstandard extensions, etc).  Is using the
> > >`caCert' profile defaults fine for the initial release?
> > 
> > I think it's fine.  As long as we provide the flexibility, they can always
> > create new ones if they see fit.
> > 
> > >
> > >
> > >Look forward to your input.
> > >
> > >Cheers,
> > >Fraser
> >

More information about the Pki-devel mailing list