Steve Kent writes:
Now if GOBI were to certify users under its DN, and if the DN
subordinatioon rule were followed, these users might get certificates
of the form: C=US, S=LA, O=Good Ole Boys Inc., S=AL, L=Mobile,
CN=Rufus T. Fishbone, Jr. (the street address is omitted to keep
things simple). If I were Rufus, I would not be happy with this DN,
and for good reason. Rufus wants a DN that identifies him in a
geopolitical context, irrespective of the CA that issued it, just as
his telephone numnber didn't change when he switched from AT&T to MCI,
then to Sprint.
Let's get specific. Rufus has "discovered" his residential DN to be
C=US, S=LA, L=Mobile, CN=Rufus T. Fishbone.
In this case, GOBI or WWSI would collect the user ID data
required under the PCA policy established by the BBN Universal
Residential Certification Authority. They can locally store that data
(depending on what the argeement with the PCA requires) and just
forward the residntial user's certificate to BBN for signing. BBN
would operate a set of "captive" CAs, one for each geoploitical region
in which it will certify residential users. BBN would then sign the
certificate under the auspices of that geoploitical authority, and
send it back to the user, either directly or via the local
representative. The result is a certification path that preserves the
name subordination rule, a user who gets a DN appropriate for his
geopolitical location, and a policy that makes the operating policy
clear to anyone who receives a certificate issued under this PCA.
I believe that what you are suggesting is that BBN would operate a CA
under this PCA called C=US, S=LA or perhaps C=US, S=LA, L=Mobile to
certify ol' Rufus. This appears to be in violation of the NADF SD-5
naming schema. Under section 1.1.1, "First, a naming authority must
establish the right-to-use for any name to be used, within the
jurisdiction of the given naming authority." Is there any means of
BBN securing the right-to-use such a geopolitical name ? If not, does
this imply that the provision of residential certs according to the
PEM specs is incompatible with the NADF recommendations ?
Another option is feasible using the certificate signing unit
hardware (SafeKeyper) that BBN manufactures and which can be used with
the RSA Certificate Issuing System (CIS). (We get a good price on
them so we could afford to use several ;-)) BBN could initialize three
SafeKeypers so that a CA private key generated on any of them can be
transferred among this set in encrypted form...
... Each SafeKeyper will issue certificates with
different serial numbers, but traceable to the specific device that
signed the certificate. The CA private key copies will be protected
from disclosure uniformly at each site. The one task remaining is to
ensure that the Subject DNs are globally unique. One could perform
some form of centralized database co-ordination, or we could make the
last RDN a sequence consisting of the employee common name and
employee ID number, which guarantees uniqueness.
This is an excellent approach. One other task that should not be
overlooked is the publication of CRL information. If all three CSUs
are capable of generating valid indistinguishable CRLs then there has
to be some careful coordination and control of the publication of this
information.
Steve Dusse
RSA