Ben Clifford wrote:
Your plan seems reasonable.
I think step 1 introduces a slight weakness in that clients will now
accept more host certificates than they previously did.
Good observation about the acceptance of more host certs, but I'd like
to argue that those additional certs are the only ones that will be
trusted without the dns reverse lookup. In other words, those additional
certs are the more trusted ones!
3) make step 2) optionally through a config parameter such that those
that do not want to rely on insecure-dns at all can turn it off.
I think that eventually the default for this should change so that DNS is
not used (perhaps preceeded by several years of outputting a warning that
insecure DNS lookup is being performed).
Agreed.
Another thing I find equally unpleasant about host certificates in the
presence of multiple CAs (which is the case in all but the most trivial
deployments) is that any CA may issue a host certificate for any host; and
so (to a first approximation) any person may acquire a host certificate
for any host name whatsoever, which can then be combined with a spoof of
the forward lookup DNS.
Good observation - our signing policy files do limit the trust in CAs by
restricting the subject names (... which we should also start supporting
for Java...).
-Frank.
--
Frank Siebenlist [EMAIL PROTECTED]
The Globus Alliance - Argonne National Laboratory
