On 10/17/12 12:36 PM, "Ryan Sleevi" <[email protected]> wrote:
><large snip> >This leaves the broader question of "How does the site operator know about >CA_Alice and CA_Bob to begin with". One possible solution for this is a >report-but-unenforced mode, where user agents could describe their >observed chains to the site. As unseemly as this is, it's very likely that >many site operators - even Very Large, High Value sites - may not have a >full understanding of the PKI that they're a participant in. A tool that builds all possible paths that the site operator can run without involving any users would be good too. The site operator mainly needs to know where its certificate chains against public stuff and could check that independently. This should come close to relegating the user report tool to oddball instances. >Another solution is to rely on policy changes in root stores, such as >Mozilla's recent proposed CA Certificate Store requirements change, which >would encourage (by requiring, with only one acceptable alternative) the >public disclosure of such CA hierarchies. As a result of such changes, >there would be knowledge of the relationship between CA_Alice and CA_Bob, >which under today's model, is actually quite hard for site operators to >discover. Even with disclosure a builder tool that illustrates possible chains would be useful. _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
