On 09/09/2013 10:24 AM, Nalin Dahyabhai wrote: > On Mon, Sep 09, 2013 at 10:05:59AM -0400, John Dennis wrote: >> On 09/09/2013 10:02 AM, Nalin Dahyabhai wrote: >>> I'd expect it to depend heavily on whether or not you're chaining up to >>> an external CA. Personally, I'd very much want to keep a different set >>> of trust anchors for PKINIT in that situation. >> >> If you've got an external CA you still effectively have one trust anchor >> that can be revoked because we create a sub-CA from the external CA. Or >> perhaps I misunderstood what you were suggesting. > > My main concern is that the external CA, having issued one sub CA to us, > can do so again for another customer, and trusting certificates because > they chain up to that CA also allows that CA's other clients to issue > certificates that we'd then also automatically trust. > > We can't revoke such certificates (which is done by noting the > combination of issuer and serial number) until we know about them, and > we'll only know about one of them after someone's used it to attempt to > authenticate, possibly successfully.
Good point. Isn't there an X509 extension (possibly part of PKIX?) which restricts membership in the chain path to a criteria. In other words you can require your sub-CA to be present in the chain. Sorry, but my memory is a bit fuzzy on this. -- John _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
