RE: Linking certs from Dan Schutzer on 2007-12-23 (public-wsc-wg@w3.org from December 2007)

From: Dan Schutzer <dan.schutzer@fstc.org>
Date: Sun, 23 Dec 2007 08:16:30 -0500
To: "'Ian Fette'" <ifette@google.com>
Cc: "'Stephen Farrell'" <stephen.farrell@cs.tcd.ie>, "'W3 Work Group'" <public-wsc-wg@w3.org>
Message-ID: <000301c84566$0a591490$6500a8c0@dschutzer>

Actually with some large corporations this is often the practice

  _____  

From: Ian Fette [mailto:ifette@google.com] 
Sent: Sunday, December 23, 2007 7:16 AM
To: Dan Schutzer
Cc: Stephen Farrell; W3 Work Group
Subject: Re: Linking certs

For the case where the certs are valid at the same time, I don't see why
that would be preferable to just having one cert, with the additional
domains in SubjAltName. Unless you don't want to share a private key across
the various sites, but then the question arises of if you're not willing to
share your private key, should I be willing to share my data? 

It seems to me like we are getting way beyond the scope of this group, and
personally I don't see the value of what we're discussing in a broader
sense. What matters in the current world of SSL is that the given cert is
valid for the given site. We're talking about all sorts of extensions just
to support an edge case in a new form-filler that may or may not ever see
broad adoption. If, under the best of cases, it does see adoption but the
cert continuity part is left out, what's the worst that can happen? The user
has to re-type their username and password? Given the strict matching of
this mechanism, it seems to me like the user will be re-typing their
information a lot anyways, and so what's one more re-type every two years? 

It seems like we're climbing down a giant rathole with no pot-of-gold in
sight...

-Ian 

P.s. happy holidays everyone.

On Dec 23, 2007 3:09 AM, Dan Schutzer < dan.schutzer@fstc.org
<mailto:dan.schutzer@fstc.org> > wrote:

This looks like it might be a very useful proposal 

I am wondering if there might not also be a desire to be able to link
certificates as belonging to the same entity, where both certificates might
actually still be in force. For example Bank A has three different 
subsidiaries, with three different names. Each has their own certificate. It
might be useful to be able to recognize that all three certificates are
linked by the fact that they are all part of the same company. 

Dan

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:
<mailto:public-wsc-wg-request@w3.org>  public-wsc-wg-request@w3.org] On
Behalf Of Stephen Farrell
Sent: Saturday, December 22, 2007 9:04 AM
To: W3 Work Group
Subject: Linking certs

Tyler was surprised on last week's call that there wasn't a 
good way to link various certs belonging to the same end entity.

I personally hadn't thought about that before and actually
didn't see an obvious way to achieve the result so I've written
up a proposal [1] for a new cert extension that may solve the 
problem.

I doubt that this'd be finished in time for us to make much use
of it in the our REC (though one never knows:-) but it might
be useful for a future version, and I'd definitely be interested 
in whether or not it looks like something the browser vendors
and CA operators might want.

And of course, any and all comments on the draft are welcome.

Cheers,
Stephen.

PS: The draft is an individual submission, not an official IETF 
PKIX WG work item, though I've posted a note to that list too
as they might end up taking it on (or not).

[1] http://tools.ietf.org/html/draft-farrell-pkix-other-certs-00
<http://tools.ietf.org/html/draft-farrell-pkix-other-certs-00>

Received on Sunday, 23 December 2007 13:23:41 UTC