Hi Max, that would be a really good tool. Especially when auditing for: - federating existing PKIs - periodically testing your PKI - assert the compliance to the policy of all the members of a hierarchy For that to happen, though, we need to work on the definition of a machine parsable policy (well, at least for the technical aspects) that apps could use to check certificates against. Today, the format of a policy is not specified. Current RFCs provide guidance about the structure of a document. Some CAs publish their policy in English/PDFs some use other languages/other formats (MS DOC), very few (I know about only one) use XML. If we provide a FORMAT (e.g., ASN.1) for expressing the technical aspects of a policy, that would be really helpful in auditing activities. Also, apps could finally make use of Policies - something that, at the moment, users do not really care/understand. Would a Policy Format document be something the list is interested into ? The proposal is not to change the content of a policy, but specify a format that would be useful to apps. Also, (maybe - not sure if practical) if such a format was standardized, a user could set the minimum requirement for certificates processing in apps and use those requirements across different apps as well :D Later, Max On 11/17/2009 06:21 PM, max pritikin wrote:
How about code in the (production) client that verifies the retrieved certificate against the active profile? When installing manufacturing certificates onto hardware devices it is especially important to block inadvertent CA config changes (resulting in incorrect certificates). Having strict profile checks in the requesting client would help prevent this.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.