> On 29 Oct 2014, at 10:17 am, John Curran <[email protected]> wrote: > > On Aug 11, 2014, at 11:58 AM, Tim Bruijnzeels <[email protected]> wrote: >> ... >> The *one* thing I (and I believe we..) challenge is whether the an >> overclaimed resource should invalidate a complete certificate, instead of >> invalidating just the resources at hand, but allowing the remainder. >> ... >> The following two we may be able to mitigate technically, because we are >> dealing with co-operating parties: >> @1 There is a mis-timing in certificate shrinking in a transfer between >> co-operating parties. >> @2 There is a mis-timing in the parent publishing a cert with extended >> resource, and issuing it to the child, and the child using those resources >> in turn. >> >> But this is the one that has me scared. It is not the issuing CA being >> sloppy, it’s a problem between them and *their* parent: >> @1 The *grand*-parent shrinks the *parent* certificate without the parent >> knowing about this, and some of these resources appear on the, now >> overclaiming, child certificate. The grand-parent and parent are not >> involved in an active transfer process. They may not agree that the resource >> in question should be removed, or the grand-parent may have shrunk these >> resources in error. >> >> By rejecting the overclaiming child certificate completely I think we are >> being too harsh, or pedantic even. We know better, so we are just not going >> to trust this one. But.. there is a very real possibility that we actually >> *do* know better than the issuing CA at this point. So, what exactly is the >> problem with accepting the remaining resources? i.e. the intersection >> between the parent certificate’s resources and this certificate. We know the >> context, this evaluation is very easy and well-defined. If the CA really >> intended that the remaining resources should not be tied to the certificate, >> they would have revoked. If the grand-parent really intended that those >> resources should not be certified anymore, they would have removed them as >> well. > > I'm certain there is a simple answer for this question, but it alludes me > at the present time... > > Given the risks of full resource list invalidation due to overclaiming, why > aren't distinct certificates used for distinct resources? If this is not > practical in general, wouldn't it at least be prudent to "groom" resources > that are going to be transferred into their own certificate so that the rest > of the resources held by the original child are not put at validation risk > (if a coordination error were to occur in subsequent transfer processing) >
If I understand your note here, you are suggesting that the CA issues a new cert for the to-be-transferred resource and revokes and reissues the original "omnibus" cert to have all the resources minus the to-be-transferred resource. Yes? But does not this exacerbate the very problem about over-claiming subordinate certs? Any subordinate certs of the shrunken "omnibus" cert that still include the to-be-transferred resource are now completely invalid. I may not be following your suggestion here, but I just can't see how this makes it "better". regards, Geoff _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
