On Aug 11, 2014, at 11:58 AM, Tim Bruijnzeels <[email protected]> wrote: > ... > The *one* thing I (and I believe we..) challenge is whether the an > overclaimed resource should invalidate a complete certificate, instead of > invalidating just the resources at hand, but allowing the remainder. > ... > The following two we may be able to mitigate technically, because we are > dealing with co-operating parties: > @1 There is a mis-timing in certificate shrinking in a transfer between > co-operating parties. > @2 There is a mis-timing in the parent publishing a cert with extended > resource, and issuing it to the child, and the child using those resources in > turn. > > But this is the one that has me scared. It is not the issuing CA being > sloppy, it’s a problem between them and *their* parent: > @1 The *grand*-parent shrinks the *parent* certificate without the parent > knowing about this, and some of these resources appear on the, now > overclaiming, child certificate. The grand-parent and parent are not involved > in an active transfer process. They may not agree that the resource in > question should be removed, or the grand-parent may have shrunk these > resources in error. > > By rejecting the overclaiming child certificate completely I think we are > being too harsh, or pedantic even. We know better, so we are just not going > to trust this one. But.. there is a very real possibility that we actually > *do* know better than the issuing CA at this point. So, what exactly is the > problem with accepting the remaining resources? i.e. the intersection between > the parent certificate’s resources and this certificate. We know the context, > this evaluation is very easy and well-defined. If the CA really intended that > the remaining resources should not be tied to the certificate, they would > have revoked. If the grand-parent really intended that those resources should > not be certified anymore, they would have removed them as well.
I'm certain there is a simple answer for this question, but it alludes me at the present time... Given the risks of full resource list invalidation due to overclaiming, why aren't distinct certificates used for distinct resources? If this is not practical in general, wouldn't it at least be prudent to "groom" resources that are going to be transferred into their own certificate so that the rest of the resources held by the original child are not put at validation risk (if a coordination error were to occur in subsequent transfer processing) Thanks! /John _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
