[caops-wg] Proxy certificate revocation text
Mike Helm
helm at fionn.es.net
Fri Feb 10 14:32:15 CST 2006
David Chadwick writes:
> I would actually go further than you do, and say that no-one is allowed
> to revoke a proxy certificate except its creator or an authorised
> delegate of the creator. Allowing anyone else to revoke a proxy is
> equivalent of allowing a DOS attack on the proxy. On the other hand, a
I think is a great, idealistic view of the situation.
Whether resource owner revocation is practical or not is a question.
However, in some or maybe most all cases, proxy certs are created
with the partial cooperation of a resource owner or related service,
and so, they have a stake in this certificate. The key pairs are also portable.
Communicating to other resource owners that a specific proxy
certificate should no longer be used could be useful; it may be
seen as necessary, to contain a security problem.
Applying the principles that apply to an identity certificate
to a short term or proxy certificate doesn't seem appropriate.
They are ephemeral and mistakes are easily repaired. Denial
of service is a typical byproduct of most security breaches and
recovery scenarios; revoking selected proxy certificates rather
than blocking all contact from a user seems like a step
in a positive direction. Also, communication is important in
dealing with security breaches. Healing your own problems
but ignoring everyone else's is a real weakness of distributed
computing security response. We hear all the time, I want to know
about your blacklists! I want to know about things you block!
when issues like this are raised.
I think we can note these objections but we can also make
some recommendations about how relying parties can communicate
revocation information should they need to do so.
I admit I take the point of view that the rights of the resource
owner are pretty much absolute and so I think they have considerable
say in what happens with a proxy certificate key pair found
on their machine or minted on their service.
> resource owner is the source of authority for his own resource, and can
> trust or distrust any certs that he wants to (PKC and AC). Therefore a
> resource owner can blacklist anything from using his resource. But this
> is not revocation of a proxy cert, since the proxy cert is still
> authentic and can still be used at other resources that trust it. It
That perhaps, shouldn't trust it, either.
> simply isnt valid for use at the local resource. Revocation on the other
> hand ensures that no-one should trust the proxy cert, since the issuer
> is saying that it is no longer valid.
>
> regards
>
> David
>
>
> jluna at ac.upc.edu wrote:
> > Hi!
> > You will find attached to this message our proposed text for the Proxy
> > Revocation topic, taking into account some comments from D. Chadwick as
> > mentioned in the teleconferece.
> >
> > Best regards,
> > Oscar & Jesus
> >
>
> --
>
> *****************************************************************
> David W. Chadwick, BSc PhD
> Professor of Information Systems Security
> The Computing Laboratory, University of Kent, Canterbury, CT2 7NF
> Tel: +44 1227 82 3221
> Fax +44 1227 762 811
> Mobile: +44 77 96 44 7184
> Email: D.W.Chadwick at kent.ac.uk
> Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html
> Research Web site: http://sec.cs.kent.ac.uk
> Entrust key validation string: MLJ9-DU5T-HV8J
> PGP Key ID is 0xBC238DE5
>
> *****************************************************************
>
More information about the caops-wg
mailing list