Re: questions on root creation

Nelson Bolyard wrote: > The 3 sets of claims used for SSL servers have names "DV", "OV" and "EV". > Of those, EV is well defined and documented. DV is pretty well understood > but I don't know of any document that defines it very well. OV is the > least well defined, which is why browsers do not

Re: questions on root creation

Ian G wrote, On 2008-09-24 05:12: > Nelson B Bolyard wrote: >> Ian G wrote: >>> Nelson B Bolyard wrote: >>> The curiosity here is that the Certificate Policies extension may >>> not be shown prominently by software. As the point of the cert is >>> to make some claim to the user, and the essence of

Re: questions on root creation

On 09/24/2008 03:12 PM, Ian G: > Nelson B Bolyard wrote: >> For PKI to work with ordinary mom-N-pop users, there must be a small >> set of claims common to all CAs honored by a browser. > > > Um. Can you point to that small set of claims? > He meant perhaps this: http://www.mozilla.org/projects/

Re: questions on root creation

Nelson B Bolyard wrote: > Ian G wrote: >> Nelson B Bolyard wrote: > >> The curiosity here is that the Certificate Policies extension may >> not be shown prominently by software. As the point of the cert is >> to make some claim to the user, and the essence of that claim is >> somehow pertinent to

Re: questions on root creation

Paul Hoffman wrote: > At 2:29 PM -0700 9/22/08, Nelson B Bolyard wrote: >> Ian G wrote, On 2008-09-22 09:45: >> > * Naming - any constraints? >>> + O >>> + CN >>> + OU - optional? >>> + Firefox 3 displays O whereas Thunderbird displays CN. >>>What is the preference he

Re: questions on root creation

Ian G wrote: > Paul Hoffman wrote: >> NIST's tables are for "Federal Government unclassified applications" >> (see the table intro on page 65). NIST does not set the rules for US >> Govt secrets; the NSA does. See >> . > > Thank you Nelson! M

Re: questions on root creation

Paul Hoffman wrote: > At 4:59 PM -0700 9/23/08, Nelson B Bolyard wrote: >> In finality, you have to pick a table from someone you believe has done a >> really good job of analyzing it. > > Right. > >> Given that NIST's tables are the basis >> for the US Government's protection of its own secrets,

Re: questions on root creation

On Wednesday 24 September 2008 01:30:15 Paul Hoffman wrote: > At 4:23 PM -0700 9/23/08, Nelson B Bolyard wrote: > >There also products today that cannot handle SHA-2 hashes, and that limit > >RSA key/signature sizes to 2k bits. I would not advise any CA to limit > >itself to those limits just for

Re: questions on root creation

At 4:59 PM -0700 9/23/08, Nelson B Bolyard wrote: >In finality, you have to pick a table from someone you believe has done a >really good job of analyzing it. Right. >Given that NIST's tables are the basis >for the US Government's protection of its own secrets, which it guards >jealously, I'm inc

Re: questions on root creation

At 4:23 PM -0700 9/23/08, Nelson B Bolyard wrote: >Paul Hoffman wrote: >> At 2:29 PM -0700 9/22/08, Nelson B Bolyard wrote: > >>> In CA certs, NSS understands the EKUs to mean "this CA can only issue >>> certs valid for these purposes", rather than meaning that the CA cert >>> itself can be use

Re: questions on root creation

Ian G wrote: > Nelson B Bolyard wrote: > The curiosity here is that the Certificate Policies extension may > not be shown prominently by software. As the point of the cert is > to make some claim to the user, and the essence of that claim is > somehow pertinent to the user's choice, it is underst

Re: questions on root creation

Paul Hoffman wrote: > At 2:29 PM -0700 9/22/08, Nelson B Bolyard wrote: >> In CA certs, NSS understands the EKUs to mean "this CA can only issue >> certs valid for these purposes", rather than meaning that the CA cert >> itself can be used for those purposes. > > I would argue that that interpret

Re: questions on root creation

(Sorry, missed this before sending my last message.) At 8:11 PM +0200 9/23/08, Ian G wrote: >But, either way, the general result seems to be: a top level root >should not generally include an(y) EKU. Correct. That follows from the RFC. >OK. That looks mostly for the EE certs, so I guess there

Re: questions on root creation

At 2:29 PM -0700 9/22/08, Nelson B Bolyard wrote: >Ian G wrote, On 2008-09-22 09:45: >> Hi all, > >Hi Ian, >This reply isn't complete. I'm just going to discuss the questions with >easy answers. > >> * the following extended key usage fields within roots: >> + Server Authentication >>

Re: questions on root creation

* Nelson B. Bolyard: >> * expiry should be? >> + minimum 8 years? >> + maximum 30 years? > > In that same NIST publication there is a table of recommended key sizes > to use for secrets that need to be protected until year 2010, 2030, and > beyond. It's table 4, page 66. I think they re

Re: questions on root creation

Nelson B Bolyard wrote: > Ian G wrote, On 2008-09-22 09:45: >> Hi all, > > Hi Ian, > This reply isn't complete. I'm just going to discuss the questions with > easy answers. Thanks! This has cleared up a few of my questions at least. For what it is worth, I have knocked up a starter set of not

Re: questions on root creation

Ian G wrote, On 2008-09-22 09:45: > Hi all, Hi Ian, This reply isn't complete. I'm just going to discuss the questions with easy answers. > * the following extended key usage fields within roots: > + Server Authentication > + Client AUthentication > + Secure Email > + ... >