Re: Security AD Review of draft-ietf-pkix-ipki3cmp-05.txt

[Bob Jueneman <BJUENEMAN@novell.com>]

Jeffrey,

>From section 1.3 (requirements)
>
>> 10. Final authority for certification creation rests with the CA; no 
>> RA or end-entity equipment can assume that any certificate issued by a 
>> CA will contain what was requested -- a CA may alter certificate field 
>> values or may add, delete or alter extensions according to its operating 
>> policy; the only exception to this is the public key, which the CA must 
>> not modify (assuming that the CA was presented with the public key 
>> value). In other words, all PKI entities (end-entities, RAs, and CAs) 
>> must be capable of handling responses to requests for certificates in 
>> which the actual certificate issued is different from that requested  
>> (for example, a CA may shorten the validity period requested). 

Regardless of what portion of a requested certificate might be changed by
the CA, the text of the requirements should be changed to clarify the fact
that the requesting subscriber (end-user, normally)  is responsible for
reviewing and approving the modifications made, if any. If the subscriber
does not approve the certificate contents, the CA may not publish or
otherwise distibute the certificate. 

Cf. the ABA Digital Signature Guidelines, para 1.1, 3.8, and 4.2. The DSG
are available at http://www.abanet.org/scitech/ec/isc/dsgfree.html.

What rights the RA should have to review and approve the revised certificate
would be an interesting question, as the role that an RA plays that is
independent of the CA has not been adequately developed, IMHO.

Bob



Robert R. Jueneman
Security Architect
Novell, Inc.
Network Services Division
122 East 1700 South
Provo, UT 84604
801/861-7387
bjueneman@novell.com

"If you are tring to get to the moon, climbing a tree, 
although a step in the right direction, will not prove 
to be very helpful."

"The most dangerous strategy is to cross the chasm in two leaps."