On Thu, Apr 02, 2015 at 10:28:12AM -0700, Christina Fu wrote:
Hi Fraser,
please see my response in-line ...
Christina
Thanks for your comments Christina. I think unique DN is the highest
priority; the other aspects can come a bit later.
Cheers,
Fraser
On 04/01/2015 08:47 PM, Fraser Tweedale wrote:
>Hi Christina,
>
>The following questions emerged in recent discussions and work on
>sub-CAs. Your responses will be helpful in working out what work is
>needed, and when.
>
>
>*OCSP signing*
>
>Currently sub-CAs sign OCSP responses with the CA signing
>certificate, rather than using the CA cert to sign an OCSP signing
>cert and delegating OCSP signing to it.
>
>Question : do you expect customers who use sub-CAs will want to be
>able to choose whether sub-CAs have OCSP signing delegate? If so,
>how fine-grained should the control be (instance-wide config,
>per-subCA, etc?), and can this feature be deferred (i.e. is OCSP
>signing directly by CA acceptable for initial release of sub-CAs)?
In general, I don't think people are aware nor do they care who signs what
as long as it works. However, if we want to make a default choice for them,
I think it's best if we make the right one. For a secure site, I'd choose
to have a separate OCSP responder with a separate ocsp signing cert, as the
administrator of the ocsp response system would not need to have access to
the CA's signing keys. The separate ocsp signing cert would also allow to
be given a shorter validity period than that of the CA.
If your target customers don't really care much about the above then
technically, I don't see any issue -- the clients should work as long as
your ocsp signing cert is valid.
>
>
>*Sub-CA DNs*
>
>There is currently no check that a sub-CA's DN is unique.
>
>Question : should we enforce CA DN uniqueness within the Dogtag
>instance?
yes. there exists an UniqueSubjectNameConstraint that can be used for this
purpose.
>
>
>*Sub-CA certificate profile*
>
>Currently sub-CA certificates are created using the `caCert' profile
>(the same profile that is used for the self-signed root
>certificate).
>
>Question : how much control over aspects of the sub-CA certificates
>will customers need or want? (e.g. validity period,
>pathLenConstraint, nonstandard extensions, etc). Is using the
>`caCert' profile defaults fine for the initial release?
I think it's fine. As long as we provide the flexibility, they can always
create new ones if they see fit.
>
>
>Look forward to your input.
>
>Cheers,
>Fraser