Re: questions on root creation

Nelson Bolyard wrote: > The 3 sets of claims used for SSL servers have names "DV", "OV" and "EV". > Of those, EV is well defined and documented. DV is pretty well understood > but I don't know of any document that defines it very well. OV is the > least well defined, which is why browsers do not

Re: questions on root creation

Ian G wrote, On 2008-09-24 05:12: > Nelson B Bolyard wrote: >> Ian G wrote: >>> Nelson B Bolyard wrote: >>> The curiosity here is that the Certificate Policies extension may >>> not be shown prominently by software. As the point of the cert is >>> to make some claim to the user, and the essence of

Re: questions on root creation

On 09/24/2008 03:12 PM, Ian G: > Nelson B Bolyard wrote: >> For PKI to work with ordinary mom-N-pop users, there must be a small >> set of claims common to all CAs honored by a browser. > > > Um. Can you point to that small set of claims? > He meant perhaps this: http://www.mozilla.org/projects/

Re: questions on root creation

Nelson B Bolyard wrote: > Ian G wrote: >> Nelson B Bolyard wrote: > >> The curiosity here is that the Certificate Policies extension may >> not be shown prominently by software. As the point of the cert is >> to make some claim to the user, and the essence of that claim is >> somehow pertinent to

Re: questions on root creation

Paul Hoffman wrote: > At 2:29 PM -0700 9/22/08, Nelson B Bolyard wrote: >> Ian G wrote, On 2008-09-22 09:45: >> > * Naming - any constraints? >>> + O >>> + CN >>> + OU - optional? >>> + Firefox 3 displays O whereas Thunderbird displays CN. >>>What is the preference he

Re: questions on root creation

Ian G wrote: > Paul Hoffman wrote: >> NIST's tables are for "Federal Government unclassified applications" >> (see the table intro on page 65). NIST does not set the rules for US >> Govt secrets; the NSA does. See >> . > > Thank you Nelson! M

Re: questions on root creation

Paul Hoffman wrote: > At 4:59 PM -0700 9/23/08, Nelson B Bolyard wrote: >> In finality, you have to pick a table from someone you believe has done a >> really good job of analyzing it. > > Right. > >> Given that NIST's tables are the basis >> for the US Government's protection of its own secrets,

Re: questions on root creation

On Wednesday 24 September 2008 01:30:15 Paul Hoffman wrote: > At 4:23 PM -0700 9/23/08, Nelson B Bolyard wrote: > >There also products today that cannot handle SHA-2 hashes, and that limit > >RSA key/signature sizes to 2k bits. I would not advise any CA to limit > >itself to those limits just for

Re: questions on root creation

At 4:59 PM -0700 9/23/08, Nelson B Bolyard wrote: >In finality, you have to pick a table from someone you believe has done a >really good job of analyzing it. Right. >Given that NIST's tables are the basis >for the US Government's protection of its own secrets, which it guards >jealously, I'm inc

Re: questions on root creation

At 4:23 PM -0700 9/23/08, Nelson B Bolyard wrote: >Paul Hoffman wrote: >> At 2:29 PM -0700 9/22/08, Nelson B Bolyard wrote: > >>> In CA certs, NSS understands the EKUs to mean "this CA can only issue >>> certs valid for these purposes", rather than meaning that the CA cert >>> itself can be use

Re: questions on root creation

Ian G wrote: > Nelson B Bolyard wrote: > The curiosity here is that the Certificate Policies extension may > not be shown prominently by software. As the point of the cert is > to make some claim to the user, and the essence of that claim is > somehow pertinent to the user's choice, it is underst

Re: questions on root creation

Paul Hoffman wrote: > At 2:29 PM -0700 9/22/08, Nelson B Bolyard wrote: >> In CA certs, NSS understands the EKUs to mean "this CA can only issue >> certs valid for these purposes", rather than meaning that the CA cert >> itself can be used for those purposes. > > I would argue that that interpret

Re: questions on root creation

(Sorry, missed this before sending my last message.) At 8:11 PM +0200 9/23/08, Ian G wrote: >But, either way, the general result seems to be: a top level root >should not generally include an(y) EKU. Correct. That follows from the RFC. >OK. That looks mostly for the EE certs, so I guess there

Re: questions on root creation

At 2:29 PM -0700 9/22/08, Nelson B Bolyard wrote: >Ian G wrote, On 2008-09-22 09:45: >> Hi all, > >Hi Ian, >This reply isn't complete. I'm just going to discuss the questions with >easy answers. > >> * the following extended key usage fields within roots: >> + Server Authentication >>

Re: questions on root creation

* Nelson B. Bolyard: >> * expiry should be? >> + minimum 8 years? >> + maximum 30 years? > > In that same NIST publication there is a table of recommended key sizes > to use for secrets that need to be protected until year 2010, 2030, and > beyond. It's table 4, page 66. I think they re

Re: questions on root creation

Nelson B Bolyard wrote: > Ian G wrote, On 2008-09-22 09:45: >> Hi all, > > Hi Ian, > This reply isn't complete. I'm just going to discuss the questions with > easy answers. Thanks! This has cleared up a few of my questions at least. For what it is worth, I have knocked up a starter set of not

Re: questions on root creation

Ian G wrote, On 2008-09-22 09:45: > Hi all, Hi Ian, This reply isn't complete. I'm just going to discuss the questions with easy answers. > * the following extended key usage fields within roots: > + Server Authentication > + Client AUthentication > + Secure Email > + ... >

questions on root creation

Hi all, CAcert is currently working up to create some new roots, as part of their audit process. They've done some research and covered parts of the requirements, but many open questions remain as to the content of a future root. http://wiki.cacert.org/wiki/Roots/NewRootsTaskForce Below is a li