Re: PKI and Relying Parties

From: Citizen Fish (fishy@)
Date: 03/28/02

Next message: espresso: "Diable ssh1 (OpenSSH)"

Previous message: Harold Hammond: "Re: PKI and Relying Parties"
In reply to: Harold Hammond: "PKI and Relying Parties"
Next in thread: Paul Rubin: "Re: PKI and Relying Parties"
Reply: Paul Rubin: "Re: PKI and Relying Parties"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Citizen Fish <fishy@<tut tut>answer.me.uk> Date: Thu, 28 Mar 2002 13:11:10 +0000

Harold Hammond coughed up the following:

> I have a pretty good understand of PKI, however, I'm not sure what would
> be the solution for an enterprise that wishes to be a relying party but
> not a CA. We don't want to be issuing certs. Right now, we don't want
> anyone else to be issuing certs on our behalf. We just want to be able
> to validate certificates. If its a level 3 cert and its from an
> approved CA (or a subondinate of an approved CA) then we can be certain
> of the user's identity and will let then attempt to access our system.
>
> TIA
> -Harold

Harold

I believe the solution to this problem is in directories as (I think) you
want to do TWO things once you have established which CAs you want to
trust:-

1) you want to check a revocation list, not maintained by yourself, you
need to check crls and arls, if you are going to support many CAs you may
have to implement a multitude of technologies:-

-OCSP
-Combined crl
-Partitioned crl
-ldap retrieval
-http retrieval

2) you want to match the identity with one that you already know (as there
are many John Smith's with certificates, how do I know it is the John Smith
I want to talk to)

(In my opinion) Any public CA not providing 1) and a relying party
agreement against it is a waste of time. Essentially you need to strike up
relying party agreements with CAs (and their revocation lists) which ensure
that they carry liability for not meeting their advertised CPs, which will
include authentication process, crl publishing frequency and process.

2)..... is harder, In this instance you need the user to hold some
additional information that relates to you. A directory entry(accessed with
the consent of the user) would seem the sensible pace for this to reside.

HTH

CFish

-- Come inside boy - they call this fun!,..........

Next message: espresso: "Diable ssh1 (OpenSSH)"
Previous message: Harold Hammond: "Re: PKI and Relying Parties"
In reply to: Harold Hammond: "PKI and Relying Parties"
Next in thread: Paul Rubin: "Re: PKI and Relying Parties"
Reply: Paul Rubin: "Re: PKI and Relying Parties"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: PKI and Relying Parties
... We don't want to be issuing certs. ... need to check crls and arls, if you are going to support many CAs you may ... -Partitioned crl ... Any public CA not providing 1) and a relying party ...
(comp.security.misc)
Re: PKI and Relying Parties
... > I have a pretty good understand of PKI, however, I'm not sure what would ... > be the solution for an enterprise that wishes to be a relying party but ... We don't want to be issuing certs. ... Checking the cert validity on a CRL each time ...
(comp.security.ssh)
Re: PKI and Relying Parties
... > I have a pretty good understand of PKI, however, I'm not sure what would ... > be the solution for an enterprise that wishes to be a relying party but ... We don't want to be issuing certs. ... Checking the cert validity on a CRL each time ...
(comp.security.misc)

(10)