Re: [saag] [lamps] subordinate vs intermediate certification authority
Ryan Sleevi <ryan-ietf@sleevi.com> Mon, 08 February 2021 16:49 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 2AFF93A11D7;
Mon, 8 Feb 2021 08:49:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.419
X-Spam-Level:
X-Spam-Status: No, score=-1.419 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249,
FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249,
HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01,
SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id fE5k7yk6jSrB; Mon, 8 Feb 2021 08:49:09 -0800 (PST)
Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com
[209.85.215.174])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 821463A11CB;
Mon, 8 Feb 2021 08:49:09 -0800 (PST)
Received: by mail-pg1-f174.google.com with SMTP id o63so10589840pgo.6;
Mon, 08 Feb 2021 08:49:09 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=/PmIdNiSFVMYarXRVUE4N7d0ZMet8Qr6NOF9pg+w6KA=;
b=TYFpCcAYAR2yvIKijSH0Q20pSfv+dPsNV80umeUi2IXr0fdPWkMprVYEPZqMgujjKu
aPiV0aYI81qjfE5Nla6h9lmx/S5v6k6dTSUjcemhOPx2SlWD4c1QmcZXyT1COFCLAo5Z
WOYlSbv36T/ffKVEsE5zTvGn798Ti8jR/71H9HplSgHBI7YcElSqoEw4fWCubcYNTvzo
MNKqw0yjh7iaC4poiGvlk/WZjbscOS3QnEyR94JTq3O9+y5y0iTMB6KE/kRJxTt8VZHj
DLlk+xBRo777stpHVUw36Cmnc3XEV8Do9pog14ACgQsX+A/TK3MNIxEhMtM8JcIcjFgJ
bXFw==
X-Gm-Message-State: AOAM533Ee2JmNNTaklC5kReys+nG7ustVvgfCtYtdltM+HtI1pxTQYHc
Lr7SnrXnxSt7UPPDtNLwxcf/wKs9Euo=
X-Google-Smtp-Source: ABdhPJw1DVbWuczsZj9jyE4NqAyxzEkpFoR51w6W5AT4qyfoNqdV5+iTPKw86XqClO/4fksFlPa/xA==
X-Received: by 2002:a62:e407:0:b029:1dc:1ef6:b2da with SMTP id
r7-20020a62e4070000b02901dc1ef6b2damr7366126pfh.67.1612802948586;
Mon, 08 Feb 2021 08:49:08 -0800 (PST)
Received: from mail-pl1-f173.google.com (mail-pl1-f173.google.com.
[209.85.214.173])
by smtp.gmail.com with ESMTPSA id l2sm17041752pju.25.2021.02.08.08.49.07
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Mon, 08 Feb 2021 08:49:07 -0800 (PST)
Received: by mail-pl1-f173.google.com with SMTP id g3so8138271plp.2;
Mon, 08 Feb 2021 08:49:07 -0800 (PST)
X-Received: by 2002:a17:902:464:b029:e2:ebb4:9251 with SMTP id
91-20020a1709020464b02900e2ebb49251mr2087047ple.29.1612802947750; Mon, 08 Feb
2021 08:49:07 -0800 (PST)
MIME-Version: 1.0
References: <30833.1612411843@localhost>
<5a88fc8c-dbd2-cc77-2b06-db0fd9da4da4@openca.org>
<6108.1612645177@localhost>
In-Reply-To: <6108.1612645177@localhost>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Mon, 8 Feb 2021 11:48:57 -0500
X-Gmail-Original-Message-ID: <CAErg=HHesEG1T+39WCgFGa---wzd884FQNGLndT35dvVAKf+kA@mail.gmail.com>
Message-ID: <CAErg=HHesEG1T+39WCgFGa---wzd884FQNGLndT35dvVAKf+kA@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: "Dr. Pala" <madwolf@openca.org>, LAMPS <spasm@ietf.org>, saag@ietf.org
Content-Type: multipart/alternative; boundary="000000000000cb219005bad5f2ba"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/iLxviYIt5UjIdpE3LjHjopAS8SY>
Subject: Re: [saag] [lamps] subordinate vs intermediate certification
authority
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>,
<mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>,
<mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2021 16:49:11 -0000
On Sat, Feb 6, 2021 at 4:00 PM Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > Dr. Pala <madwolf@openca.org> wrote: > > Developers and Practitioners (see the note on OpenSSL's conventions) > > seem to support more the "Intermediate CA" for technical > conversations > > while "Subordinate CA" is usually referred to in the context of PKI > > policies. > > I think that this is the key point which you are supporting. > > > RFC3647 talks about subordinate organizations instead - maybe that is > > the concept you need to use? What is weird about the question is the > > different logical levels that you are trying to put together: > business > > relationships and certification chains. > > The issue comes up with pinning as it relates to ownership. > It's not a problem if every organization that can own Things has it's own > private CA. Pinning that CA works great. > Pinning some other EE is very much more specific, but also, may be too > ephemeral. > > Where it gets complex is when organizations have outsourced the CA > function elsewhere. > It's meaningless to pin LetsEncrypt or GoDaddy. It might be meaningful to > pin a Subordinate CA signed by some public CA though. > No one, anywhere, should ever pin to a CA that they don’t directly control, and even then, they still shouldn’t :) Pinning is just a poor-man’s attempt at a server controlling the client’s trust anchors, and thus inevitably runs into issues, since client policy is inherently _client_ policy. Especially important is never pinning to a so-called “public” CA, precisely because their very existence is predicated on client policy that is intentionally not controlled/controllable by servers. I stand by the statement that is mostly misguided to highlight any distinction between these terms (subordinate and intermediate). The model of PKI that 3647 envisioned, tied to The Directory, doesn’t exist. While it provides a useful framework, the model of policy and business relationships is not a generic model in practice, unfortunately, and so one cannot just liberally sprinkle the terms in and expect there to be a distinction of note to the reader. In general, it should be a red flag if such a distinction is necessary, because it’s indicative of an assumption of human-/business-/policy-based practices, vs technical practices, and thus inevitably going to cause significant interoperability issues, as both humans and policies are rarely all alike and identical.
- [saag] subordinate vs intermediate certification … Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Viktor Dukhovni
- Re: [saag] [lamps] subordinate vs intermediate ce… Brockhaus, Hendrik
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Viktor Dukhovni
- Re: [saag] subordinate vs intermediate certificat… Dr. Pala
- Re: [saag] [lamps] subordinate vs intermediate ce… Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Viktor Dukhovni
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson
- Re: [saag] [lamps] subordinate vs intermediate ce… Ryan Sleevi
- Re: [saag] [lamps] subordinate vs intermediate ce… Phillip Hallam-Baker
- Re: [saag] [lamps] subordinate vs intermediate ce… Viktor Dukhovni
- Re: [saag] [lamps] subordinate vs intermediate ce… Eliot Lear
- Re: [saag] [lamps] subordinate vs intermediate ce… Phillip Hallam-Baker
- Re: [saag] [lamps] subordinate vs intermediate ce… Phillip Hallam-Baker
- Re: [saag] [lamps] subordinate vs intermediate ce… Viktor Dukhovni
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson