[caops-wg] OCSP & Proxy Certs
mulmo at pdc.kth.se
Fri Jan 27 09:44:43 CST 2006
> 2 contradictory thoughts occurred to me
> A) What if proxy certs had a "Made at <X>" stamp on them
> (Does anybody do this now?) Would this help?
This has been discussed before, and that kind of stamp would be useless
unless it came from someone trusted party (i.e., not the user) that "vets"
the key pair: it's associated owner, it's location (maybe), it's level of
protection, and so on.
Having such a beast around would allow us to shortcircuit and circumvent a
lot of the problems, so rather than using it as a patch to the patch to the
original problem, it would allow for completely new usage scenarios.
> But all we can do is stamp the public key, not the private
> key. We can't tell if a private key has migrated somewhere
> we don't want it to be.
Arguably, you don't really care about the location: you care about the
protection. Key server A may securely transfer it to key server B for
redundancy purposes, a key on a smart card moves around as the user moves
around, and so on.
And, as discussed above, you cannot argue about protection level unless the
assertion is made from someone that "manages" the private key and which is
somehow labelled "trusted", e.g. a MyProxy server or a smart card.[*]
[*] Managed credential stores is a phrase that we use in an EGEE context for
this kind of stuff -- see e.g. section 4.3 in DJRA3.3:
More information about the caops-wg