[caops-wg] Encoding AIA in first-level Proxy Cert
Cowles, Robert D.
rdc at slac.stanford.edu
Sun Jan 29 07:06:07 CST 2006
> In DOEGrids ... I am not sure about every other IGTF PKI however ...
> end entity certificates can revoke themselves. It's often done. For
> instance, when a security issue arose at one site, several customers
> revoked their own certificates until local problems were cleared up.
>
> Why wouldn't we permit this idea to be extended to proxy certs?
> That is, why shouldn't a proxy cert be permitted to revoke itself?
> What conditions would speak against that?
It does cerate an interesting denial of service possibillity
in that if I compromise a machine that has proxy certs going thru
it, I can revoke all subsequent proxies for the whatever proxy certs
I find on that machine. If a higher level had to do the revocation
then I would have to know something about the proxy certs generated
by apps using those proxies, and it would seem more difficult t
get that information.
BC
More information about the caops-wg
mailing list