Dear PKIX-ers,
I have recently been involved in some discussions about the need to test
the conformance of PKI software in general and, more specifically, CA
software.
One of the biggest problem in testing the software is that CAs would
refuse to generate certificates that are not compliant to their policies
or certificates used for testing purposes only.
The simplest solution would be to have a Policy that is used only for
test certificates, and issue the test certs with that policy OID. Unfortunately,
applications would not understand that those are test certificates and would
allow them to be used also outside test environments - raising a lot of
possible controversies.
My question is: what is the best practices out there ? What do you do to
test your environments ? Do you also have tools to validate your certificates
against your policy documents or are you doing everything by hand ?
To mitigate the problems related to issuing of certificates for test
purposes only, could a critical extension (eg., purpose:test-only) be added
to a certificate in order to allow that to be used in test environments only ?
What I am trying to understand is: shall we try to standardize something that
would allow apps to recognize a ``test'' certificate from ``normal'' certificate ?
--
Best Regards,
Massimiliano Pala
--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] openca at acm.org
project.manager at openca.org
Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
--o------------------------------------------------------------------------
People who think they know everything are a great annoyance to those of us
who do.
-- Isaac Asimov
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.