From: shirey(_at_)mitre(_dot_)org (Robert W. Shirey)
X-Sender: shirey(_at_)smiley(_dot_)mitre(_dot_)org
Subject: Re: PEM Test Service
Cc: pem-dev(_at_)TIS(_dot_)COM
Sender: pem-dev-relay(_at_)TIS(_dot_)COM
Content-Length: 70
Could you please offer a concrete example of how it "would not fit?"
GMD has three major sites in Birlinghoven (near Bonn, this is the main
site), Darmstadt and Berlin and has a number of smaller units in other
locations. We decided to operate four CAs with the DNs
< C=DE; O=GMD; OU=CA >
< C=DE; O=GMD; L=Birlinghoven; OU=CA >
< C=DE; O=GMD; L=Darmstadt; OU=CA >
< C=DE; O=GMD; L=Berlin; OU=CA >
where the GMD-wide CA only certifies the three location-CAs, and each
employee is certified by one of the location-CAs. We used these DNs
with the OU=CA attribute because first we consider a CA to be an
organization or organizational unit which is operated by administrators,
second to be able to have two different directory entries for the CA
and the site it serves (i.e. to have two different entries for
< C=DE; O=GMD; L=Darmstadt > and < C=DE; O=GMD; L=Darmstadt; OU=CA >
for instance), and third to be able to see from the DN that it names
a CA. Similarly we operate three DSAs, each maintaining the location
part of the GMD DIB.
Most employees have DNs of the form
< C=DE; O=GMD; L=Birlinghoven; CN=yyy >
< C=DE; O=GMD; L=Darmstadt; CN=yyy >
< C=DE; O=GMD; L=Berlin; CN=yyy >
so that in most cases DNs of the form < C=DE; O=GMD; L=xxx; CN=yyy > are
certified by < C=DE; O=GMD; L=xxx; OU=CA >.
However, we have for various reasons also DNs of the form
< C=DE; O=GMD; OU=xxx; CN=yyy >
where OU=xxx denotes an institute, for instance, or something else. Reasons
are that employees are in none of the three major sites, or that certain
institutes want to have their institute name in their DNs. These DNs are
also certified by one of the three location-CAs < C=DE; O=GMD; L=xxx; OU=CA >.
That's the reality in the moment. It would have been very nice if once the
Internet CA is being operational and we have a PCA in Germany, we simply
get a certificate for < C=DE; O=GMD; OU=CA > from that PCA and have the
whole GMD staff connected to the PEM certification tree. But as it stands
this will not be the case. We will either have to rename the CAs and to
reshuffle the whole thing, or to establish a second certification structure.
I admit that it would be possible to do the whole with an RFC 1422 style
naming scheme, too, perhaps with a number of restrictions, but I think our
system is not extremely odd.
What we do at the moment with that certification system is just emerging
and in pilot stages, so if ever we have a chance for reorganization or
renaming then this will be now. But on the other hand, it is very difficult
anyway to motivate colleagues and particularly administration employees
to participate in new security enhanced services or to convince them that
they should put their efforts into a potential gain in security. It would
be very counterproductive to change names, certifiactes, keys etc. more
often than absolutely necessary.
We think about a number of applications, from a unique GMD-wide access to
system resources to administrative procedures which are currently paper
bound, which include the usage of X.500 directories also for internal
purposes and which will include in the future system management functionality
(not to be confused with network management functionality) in order to
have a unique management platform for systems and applications. All this
must be founded on a common security infrastructure which includes a common
certification infrastructure. We will have a lot of authorization stuff
derived from authenticated DNs, but I will not say at this point that all
can be done with X.509 certificates. We will have to gain a lot of
experience and then see. But PEM will certainly be only one of our intended
applications which will use the certification stuff.
Wolfgang Schneider
GMD