[Freeipa-devel] Multiple CA certificates in LDAP, questions
John Dennis
jdennis at redhat.com
Mon Sep 9 14:32:08 UTC 2013
On 09/09/2013 10:24 AM, Nalin Dahyabhai wrote:
> On Mon, Sep 09, 2013 at 10:05:59AM -0400, John Dennis wrote:
>> On 09/09/2013 10:02 AM, Nalin Dahyabhai wrote:
>>> I'd expect it to depend heavily on whether or not you're chaining up to
>>> an external CA. Personally, I'd very much want to keep a different set
>>> of trust anchors for PKINIT in that situation.
>>
>> If you've got an external CA you still effectively have one trust anchor
>> that can be revoked because we create a sub-CA from the external CA. Or
>> perhaps I misunderstood what you were suggesting.
>
> My main concern is that the external CA, having issued one sub CA to us,
> can do so again for another customer, and trusting certificates because
> they chain up to that CA also allows that CA's other clients to issue
> certificates that we'd then also automatically trust.
>
> We can't revoke such certificates (which is done by noting the
> combination of issuer and serial number) until we know about them, and
> we'll only know about one of them after someone's used it to attempt to
> authenticate, possibly successfully.
Good point. Isn't there an X509 extension (possibly part of PKIX?) which
restricts membership in the chain path to a criteria. In other words you
can require your sub-CA to be present in the chain. Sorry, but my memory
is a bit fuzzy on this.
--
John
More information about the Freeipa-devel
mailing list