Daniel Kahn Gillmor <d...@fifthhorseman.net> writes: > On 04/02/2012 03:54 PM, Russ Allbery wrote:
>> You definitely want class 0 and class 2 certs hashed into the same >> directory under nearly all circumstances that don't involve being very >> paranoid about the CAs that you accept, since that allows the OpenSSL >> CAdir directive to work properly and is WAY easier to maintain. > I'm not convinced that you want class 2 mixed with class 0 in most > cases. Class 2 certs are used for authentication of your own services; > A web server might authenticate clients via your organization's private > CA, for example, while serving your own certificate that is certified by > a member of the standard cartel to avoid "errors" in common browsers. > In this case, mixing class 0 and class 2 would be a serious mistake > (because the web server would then accept client certificates issued by > the public authority). Class 2 certs are ones that participate in a chain to a class 0 certificate, so you gain no security in the normal case by ommitting class 2 certificates from your directory of class 0 certificates. All you do is force the server to provide the class 2 chain to the class 0 certificate, which it normally does anyway. The only case where it would make a difference is if you have class 2 certificates that you want to provide to clients where the corresponding root certificate to which they're chaining is not trusted by the same server. This is rare (even bizarre), as opposed to wanting to use the OpenSSL CApath directive rather than explicitly configuring the ceritifcate trust chain, which is both much more common and FAR less error-prone than the alternative. In the case where you are authenticating client certificates to a known internal root, there's no reason not to put that internal root into your normal trusted CA directory. You may want to not use the CApath directive for the client certificate authentication and instead point only to that single certificate to not trust all the CAs for that particular operation, but that's a separate configuration that is compatible with including them all in the default CA directory. > Class 1 certs almost certainly do not belong in this category, since > they are generally not intended for use as a certificate authority. > The X.509 conceptual framework is pretty confusing already, and > encouraging admins to conflate service certificates with CA > certificates. It seems like a bad idea to me to mix them. I can agree with having a separate directory for endpoint client certificates from CA certificates by default. That makes sense. I'm actively opposed to separating intermediate certificates and CA certificates by default, since it breaks CApath and OpenSSL's automatic handling of constructing certificate chains (in, for example, the Apache SSLCACertificatePath directive), which is a huge timesaver for TLS configuration. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-policy-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/877gxx6cf0....@windlord.stanford.edu
