[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [pkix] CA Testing - how to ?

From: i-barreira at izenpe.net
To: openca at acm.org, ietf-pkix at imc.org
Date: Wed, 18 Nov 2009 09:12:54 +0100
In-reply-to: <4B0311F9.7020008 at Dartmouth.edu>
References: <4B0311F9.7020008 at Dartmouth.edu>
List-id: PKIX Working Group <pkix.ietf.org>

We issue production certs for testing porpuses to be tested in production environments with a limited lifecycle, for example, 1 month or 15 days. All the time, these are controlled and we´re working with this customer together, after that, they expire or we revocate them. Is this a good approach?

Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net
945016127

ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.

-----Mensaje original-----
De: pkix-bounces at ietf.org [mailto:pkix-bounces at ietf.org] En nombre de Massimiliano Pala
Enviado el: martes, 17 de noviembre de 2009 22:13
Para: pkix
Asunto: [pkix] CA Testing - how to ?

Dear PKIX-ers,

I have recently been involved in some discussions about the need to test the conformance of PKI software in general and, more specifically, CA software.

One of the biggest problem in testing the software is that CAs would refuse to generate certificates that are not compliant to their policies or certificates used for testing purposes only.

The simplest solution would be to have a Policy that is used only for test certificates, and issue the test certs with that policy OID. Unfortunately, applications would not understand that those are test certificates and would allow them to be used also outside test environments - raising a lot of possible controversies.

My question is: what is the best practices out there ? What do you do to test your environments ? Do you also have tools to validate your certificates against your policy documents or are you doing everything by hand ?

To mitigate the problems related to issuing of certificates for test purposes only, could a critical extension (eg., purpose:test-only) be added to a certificate in order to allow that to be used in test environments only ?

What I am trying to understand is: shall we try to standardize something that would allow apps to recognize a ``test'' certificate from ``normal'' certificate ?

Best Regards,

Massimiliano Pala

--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] openca at acm.org
project.manager at openca.org

Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
--o------------------------------------------------------------------------
People who think they know everything are a great annoyance to those of us who do.
-- Isaac Asimov

References:
- [pkix] CA Testing - how to ?
  - From: Massimiliano Pala

Prev by Date: Re: [pkix] Comments on draft-ietf-pkix-ocspagility-03.txt
Next by Date: Re: [pkix] way forward for 5280
Previous by thread: Re: [pkix] CA Testing - how to ?
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.