Re: Debian Policy about administrator X.509 certificate stores

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Ben Hutchings <ben@decadent.org.uk>, 608719@bugs.debian.org, debian-policy@lists.debian.org, ca-certificates@packages.debian.org, Michael Shuler <michael@pbandjelly.org>
Subject: Re: Debian Policy about administrator X.509 certificate stores
From: Russ Allbery <rra@debian.org>
Date: Mon, 02 Apr 2012 14:39:47 -0700
Message-id: <[🔎] 877gxx6cf0.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 4F7A0B72.2000400@fifthhorseman.net> (Daniel Kahn Gillmor's message of "Mon, 02 Apr 2012 16:26:26 -0400")
References: <20110102232038.30962.75433.reportbug@localhost.localdomain> <1332213241.8043.8.camel@deadeye> <4F681415.90701@fifthhorseman.net> <[🔎] 20120402094922.GE2453@yellowpig> <[🔎] 87bona84h9.fsf@windlord.stanford.edu> <[🔎] 4F79DAEC.7000407@fifthhorseman.net> <[🔎] 87pqbp6h9o.fsf@windlord.stanford.edu> <[🔎] 4F7A0B72.2000400@fifthhorseman.net>

Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:
> On 04/02/2012 03:54 PM, Russ Allbery wrote:

>> You definitely want class 0 and class 2 certs hashed into the same
>> directory under nearly all circumstances that don't involve being very
>> paranoid about the CAs that you accept, since that allows the OpenSSL
>> CAdir directive to work properly and is WAY easier to maintain.

> I'm not convinced that you want class 2 mixed with class 0 in most
> cases.  Class 2 certs are used for authentication of your own services;

> A web server might authenticate clients via your organization's private
> CA, for example, while serving your own certificate that is certified by
> a member of the standard cartel to avoid "errors" in common browsers.

> In this case, mixing class 0 and class 2 would be a serious mistake
> (because the web server would then accept client certificates issued by
> the public authority).

Class 2 certs are ones that participate in a chain to a class 0
certificate, so you gain no security in the normal case by ommitting class
2 certificates from your directory of class 0 certificates.  All you do is
force the server to provide the class 2 chain to the class 0 certificate,
which it normally does anyway.

The only case where it would make a difference is if you have class 2
certificates that you want to provide to clients where the corresponding
root certificate to which they're chaining is not trusted by the same
server.  This is rare (even bizarre), as opposed to wanting to use the
OpenSSL CApath directive rather than explicitly configuring the
ceritifcate trust chain, which is both much more common and FAR less
error-prone than the alternative.

In the case where you are authenticating client certificates to a known
internal root, there's no reason not to put that internal root into your
normal trusted CA directory.  You may want to not use the CApath directive
for the client certificate authentication and instead point only to that
single certificate to not trust all the CAs for that particular operation,
but that's a separate configuration that is compatible with including them
all in the default CA directory.

> Class 1 certs almost certainly do not belong in this category, since
> they are generally not intended for use as a certificate authority.

> The X.509 conceptual framework is pretty confusing already, and
> encouraging admins to conflate service certificates with CA
> certificates.  It seems like a bad idea to me to mix them.

I can agree with having a separate directory for endpoint client
certificates from CA certificates by default.  That makes sense.

I'm actively opposed to separating intermediate certificates and CA
certificates by default, since it breaks CApath and OpenSSL's automatic
handling of constructing certificate chains (in, for example, the Apache
SSLCACertificatePath directive), which is a huge timesaver for TLS
configuration.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- Re: Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]
  - From: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>
- Re: Debian Policy about administrator X.509 certificate stores
  - From: Russ Allbery <rra@debian.org>
- Re: Debian Policy about administrator X.509 certificate stores
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Re: Debian Policy about administrator X.509 certificate stores
  - From: Russ Allbery <rra@debian.org>
- Re: Debian Policy about administrator X.509 certificate stores
  - From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Prev by Date: Re: Debian Policy about administrator X.509 certificate stores
Next by Date: Re: Debian Policy about administrator X.509 certificate stores [was: Re: dovecot-common: please do not use /etc/ssl/certs for end-entity X.509 certificates (/etc/ssl/certs/dovecot.pem)]
Previous by thread: Re: Debian Policy about administrator X.509 certificate stores
Next by thread: Re: Debian Policy about administrator X.509 certificate stores
Index(es):
- Date
- Thread