On Sat, Apr 04, 2015 at 02:45:07PM +1000, Fraser Tweedale wrote:
On Thu, Apr 02, 2015 at 10:28:12AM -0700, Christina Fu wrote:
> Hi Fraser,
>
> please see my response in-line ...
>
> Christina
>
Thanks for your comments Christina. I think unique DN is the highest
priority; the other aspects can come a bit later.
Cheers,
Fraser
I filed tickets for the OCSP delegation[1] and sub-CA certificate
profiles[2].
[1]
https://fedorahosted.org/pki/ticket/1337
[2]
https://fedorahosted.org/pki/ticket/1338
> On 04/01/2015 08:47 PM, Fraser Tweedale wrote:
> >Hi Christina,
> >
> >The following questions emerged in recent discussions and work on
> >sub-CAs. Your responses will be helpful in working out what work is
> >needed, and when.
> >
> >
> >*OCSP signing*
> >
> >Currently sub-CAs sign OCSP responses with the CA signing
> >certificate, rather than using the CA cert to sign an OCSP signing
> >cert and delegating OCSP signing to it.
> >
> >Question : do you expect customers who use sub-CAs will want to be
> >able to choose whether sub-CAs have OCSP signing delegate? If so,
> >how fine-grained should the control be (instance-wide config,
> >per-subCA, etc?), and can this feature be deferred (i.e. is OCSP
> >signing directly by CA acceptable for initial release of sub-CAs)?
> In general, I don't think people are aware nor do they care who signs what
> as long as it works. However, if we want to make a default choice for them,
> I think it's best if we make the right one. For a secure site, I'd choose
> to have a separate OCSP responder with a separate ocsp signing cert, as the
> administrator of the ocsp response system would not need to have access to
> the CA's signing keys. The separate ocsp signing cert would also allow to
> be given a shorter validity period than that of the CA.
>
> If your target customers don't really care much about the above then
> technically, I don't see any issue -- the clients should work as long as
> your ocsp signing cert is valid.
>
> >
> >
> >*Sub-CA DNs*
> >
> >There is currently no check that a sub-CA's DN is unique.
> >
> >Question : should we enforce CA DN uniqueness within the Dogtag
> >instance?
> yes. there exists an UniqueSubjectNameConstraint that can be used for this
> purpose.
>
> >
> >
> >*Sub-CA certificate profile*
> >
> >Currently sub-CA certificates are created using the `caCert' profile
> >(the same profile that is used for the self-signed root
> >certificate).
> >
> >Question : how much control over aspects of the sub-CA certificates
> >will customers need or want? (e.g. validity period,
> >pathLenConstraint, nonstandard extensions, etc). Is using the
> >`caCert' profile defaults fine for the initial release?
>
> I think it's fine. As long as we provide the flexibility, they can always
> create new ones if they see fit.
>
> >
> >
> >Look forward to your input.
> >
> >Cheers,
> >Fraser
>