Hi Fraser,
please see my response in-line ...
Christina
On 04/01/2015 08:47 PM, Fraser Tweedale wrote:
Hi Christina,
The following questions emerged in recent discussions and work on
sub-CAs. Your responses will be helpful in working out what work is
needed, and when.
*OCSP signing*
Currently sub-CAs sign OCSP responses with the CA signing
certificate, rather than using the CA cert to sign an OCSP signing
cert and delegating OCSP signing to it.
Question : do you expect customers who use sub-CAs will want to be
able to choose whether sub-CAs have OCSP signing delegate? If so,
how fine-grained should the control be (instance-wide config,
per-subCA, etc?), and can this feature be deferred (i.e. is OCSP
signing directly by CA acceptable for initial release of sub-CAs)?
In general, I
don't think people are aware nor do they care who signs
what as long as it works. However, if we want to make a default choice
for them, I think it's best if we make the right one. For a secure
site, I'd choose to have a separate OCSP responder with a separate ocsp
signing cert, as the administrator of the ocsp response system would not
need to have access to the CA's signing keys. The separate ocsp signing
cert would also allow to be given a shorter validity period than that of
the CA.
If your target customers don't really care much about the above then
technically, I don't see any issue -- the clients should work as long as
your ocsp signing cert is valid.
*Sub-CA DNs*
There is currently no check that a sub-CA's DN is unique.
Question : should we enforce CA DN uniqueness within the Dogtag
instance?
yes. there exists an UniqueSubjectNameConstraint that can be used for
this purpose.
*Sub-CA certificate profile*
Currently sub-CA certificates are created using the `caCert' profile
(the same profile that is used for the self-signed root
certificate).
Question : how much control over aspects of the sub-CA certificates
will customers need or want? (e.g. validity period,
pathLenConstraint, nonstandard extensions, etc). Is using the
`caCert' profile defaults fine for the initial release?
I think it's fine. As long as we provide the flexibility, they can
always create new ones if they see fit.
Look forward to your input.
Cheers,
Fraser