On Mon, Sep 09, 2013 at 10:05:59AM -0400, John Dennis wrote:
> On 09/09/2013 10:02 AM, Nalin Dahyabhai wrote:
> > I'd expect it to depend heavily on whether or not you're chaining up to
> > an external CA. Personally, I'd very much want to keep a different set
> > of trust anchors for PKINIT in that situation.
> If you've got an external CA you still effectively have one trust anchor
> that can be revoked because we create a sub-CA from the external CA. Or
> perhaps I misunderstood what you were suggesting.
My main concern is that the external CA, having issued one sub CA to us,
can do so again for another customer, and trusting certificates because
they chain up to that CA also allows that CA's other clients to issue
certificates that we'd then also automatically trust.
We can't revoke such certificates (which is done by noting the
combination of issuer and serial number) until we know about them, and
we'll only know about one of them after someone's used it to attempt to
authenticate, possibly successfully.
Freeipa-devel mailing list