Re: [therightkey] RA vs CA
Ralph Holz <holz@net.in.tum.de> Wed, 08 January 2014 18:48 UTC
Return-Path: <holz@net.in.tum.de>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com
(Postfix) with ESMTP id DE7DC1AE076 for <therightkey@ietfa.amsl.com>;
Wed, 8 Jan 2014 10:48:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.55
X-Spam-Level:
X-Spam-Status: No,
score=-1.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,
HELO_EQ_DE=0.35] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VBNdjZ0CaYgC for
<therightkey@ietfa.amsl.com>; Wed, 8 Jan 2014 10:48:45 -0800 (PST)
Received: from smtp.serverkommune.de (serverkommune.de [176.9.61.43]) by
ietfa.amsl.com (Postfix) with ESMTP id F13521AE0B6 for <therightkey@ietf.org>;
Wed, 8 Jan 2014 10:48:44 -0800 (PST)
Received: by smtp.serverkommune.de (Postfix, from userid 5001) id 7F26C80746;
Wed, 8 Jan 2014 19:48:33 +0100 (CET)
Received: from [131.159.20.131] (ex6.serverkommune.de [176.9.61.43]) (using
TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate
requested) by smtp.serverkommune.de (Postfix) with ESMTPSA id 93514806EA;
Wed, 8 Jan 2014 19:48:32 +0100 (CET)
Message-ID: <52CD9D80.3000604@net.in.tum.de>
Date: Wed, 08 Jan 2014 19:48:32 +0100
From: Ralph Holz <holz@net.in.tum.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: therightkey@ietf.org, benl@google.com
References: <CABrd9SRDArFhJwTsJKoOaqnpW5-mShLYXsybbNROgkPSgfEh5Q@mail.gmail.com>
In-Reply-To: <CABrd9SRDArFhJwTsJKoOaqnpW5-mShLYXsybbNROgkPSgfEh5Q@mail.gmail.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.97.8 at ex6
X-Virus-Status: Clean
Subject: Re: [therightkey] RA vs CA
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>,
<mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>,
<mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2014 18:48:48 -0000
Hi, >> I was there at IMC and spoke with Zakir. He was not aware of the fact >> that the private keys to all the intermediate certificates are held by >> the central DFN Verein, not the RAs themselves. In the case of DFN, the >> intermediate certs only identify the RAs. The RAs do not carry signing >> power. > > What is the function of an RA, then, if not to tell a CA "sign this"? I'll add the following in addition to what Jeremy said: the term RA is used with different meanings by CAs. E.g. during the Comodo incident in 2011 (the one by Comodohacker), it became clear that the RA had access credentials stored that allowed it to trigger certification by the CA. This was really what others might call a reseller or possibly a subordinate CA. In the case of DFN, it is different. The RAs are 1) identifiers in intermediate certs and 2) carry out paperwork. I request a server cert by creating a CSR in DFN's online interface, but I send a paper form to the local RA who will then contact me to verify that I am indeed a TUM employee with control over the server (and in case of S/MIME, see my passport). There does not seem to be an automated trigger from the RA that causes certification; rather it seems to be a delegation of certain duties. The whole thing is specified here: https://www.pki.dfn.de/fileadmin/PKI/Konzept_DFN-PKI.pdf Ralph -- Ralph Holz I8 - Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/ Phone +49.89.289.18043 PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF
- [therightkey] RA vs CA Ben Laurie
- Re: [therightkey] RA vs CA Jeremy Rowley
- Re: [therightkey] RA vs CA Jeremy Rowley
- Re: [therightkey] RA vs CA Ralph Holz
- Re: [therightkey] RA vs CA Phillip Hallam-Baker