Tuesday, 14 February 2012

On email addresses in distinguished names

Those of you who are sysadmins know we have email addresses in host certificates, in their distinguished names (DNs).  The origin of this decision is lost in the mists of time - it certainly pre-dates the UK e-Science CA - I seem to remember something about host certificates being used as clients and the email address of the contact appearing in the log file, as a forerunner of "robot" certificates - which can't quite be right because initially we did not give host certificates client extensions. But hosts have been used in this way to implement portals.

In any case, the practice is now deprecated, mainly because much of our software (strictly speaking incorrectly) depends on the string representation of the DN, and different software stringifies emailaddress in different ways. We have been meaning to get rid of it for a while, waiting only for some code changes and an update to the policy.

In fact the policy needs updating because in a (very small) number of cases we are doing things that are not consistent with the policy - but which are nonetheless wholly consistent with IGTF. Actually the only examples I can think of is that we have permitted two "software robots," a practice which is permitted by IGTF now but wasn't when our policy was written.

The proposal is now that we remove email addresses from DNs, before the policy rewrite is finished (its about 2/3 done since you ask.) Removing email addresses is clearly consistent with IGTF, but deviates from our historical practice of  preserving the end entity DN across all generations of CA certificates. Having an out of date policy is of course not consistent with IGTF...

The trouble is, how do we know whether people depend on the email address in the DN?  We have no way of knowing how the certificates are being used. Of course we could take the approach that if the certificate is being used for unsupported purposes, then you're on your own. OTOH, we have usually strived not to do that, even if grid software makes that quite difficult (see GFD.125 again, or every rollover).

So we need to leave it to the "owner" of the certificate to decide. The easiest way of doing this is JK's proposal, that we remove email address from new certificates, but keep them on renewal. For host certificates, getting a new certificate is often the same amount of work as a renewal.  Existing certificates are not affected but if you want your certificate to be affected you could revoke it and get a new one.

And of course all this applies only to hosts, there is no change for personal certificates.

No comments: