Re: [saag] subordinate vs intermediate certification authority
Michael Richardson <mcr+ietf@sandelman.ca> Sat, 06 February 2021 20:59 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC9233A2BF9; Sat, 6 Feb 2021 12:59:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZgIqH8Dk16_M; Sat, 6 Feb 2021 12:59:39 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AC2D3A2BF6; Sat, 6 Feb 2021 12:59:39 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 6F622389A9; Sat, 6 Feb 2021 16:02:42 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id hDdSY-R-YSTU; Sat, 6 Feb 2021 16:02:41 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id D0BA7389A7; Sat, 6 Feb 2021 16:02:41 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id AD6A7585; Sat, 6 Feb 2021 15:59:37 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "Dr. Pala" <madwolf@openca.org>
cc: saag@ietf.org, LAMPS <spasm@ietf.org>
In-Reply-To: <5a88fc8c-dbd2-cc77-2b06-db0fd9da4da4@openca.org>
References: <30833.1612411843@localhost> <5a88fc8c-dbd2-cc77-2b06-db0fd9da4da4@openca.org>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sat, 06 Feb 2021 15:59:37 -0500
Message-ID: <6108.1612645177@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/tCbO5Nd_vG4rq-ont-irYbpom2E>
Subject: Re: [saag] subordinate vs intermediate certification authority
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Feb 2021 20:59:42 -0000
Dr. Pala <madwolf@openca.org> wrote: > Developers and Practitioners (see the note on OpenSSL's conventions) > seem to support more the "Intermediate CA" for technical conversations > while "Subordinate CA" is usually referred to in the context of PKI > policies. I think that this is the key point which you are supporting. > RFC3647 talks about subordinate organizations instead - maybe that is > the concept you need to use? What is weird about the question is the > different logical levels that you are trying to put together: business > relationships and certification chains. The issue comes up with pinning as it relates to ownership. It's not a problem if every organization that can own Things has it's own private CA. Pinning that CA works great. Pinning some other EE is very much more specific, but also, may be too ephemeral. Where it gets complex is when organizations have outsourced the CA function elsewhere. It's meaningless to pin LetsEncrypt or GoDaddy. It might be meaningful to pin a Subordinate CA signed by some public CA though. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [saag] subordinate vs intermediate certification … Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Viktor Dukhovni
- Re: [saag] [lamps] subordinate vs intermediate ce… Brockhaus, Hendrik
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Viktor Dukhovni
- Re: [saag] subordinate vs intermediate certificat… Dr. Pala
- Re: [saag] [lamps] subordinate vs intermediate ce… Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson
- Re: [saag] subordinate vs intermediate certificat… Viktor Dukhovni
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson
- Re: [saag] [lamps] subordinate vs intermediate ce… Ryan Sleevi
- Re: [saag] [lamps] subordinate vs intermediate ce… Phillip Hallam-Baker
- Re: [saag] [lamps] subordinate vs intermediate ce… Viktor Dukhovni
- Re: [saag] [lamps] subordinate vs intermediate ce… Eliot Lear
- Re: [saag] [lamps] subordinate vs intermediate ce… Phillip Hallam-Baker
- Re: [saag] [lamps] subordinate vs intermediate ce… Phillip Hallam-Baker
- Re: [saag] [lamps] subordinate vs intermediate ce… Viktor Dukhovni
- Re: [saag] subordinate vs intermediate certificat… Michael Richardson