Re: Normative reference for 'CA rollover'?

[Thierry Moreau <thierry.moreau@xxxxxxxxxxxxx>]

Russ Housley wrote:

> Believe it or not, the new-in-old and old-in-new procedure is documented 
> in CMP.  Many people fail to find it there.  Perhaps it should be 
> extracted from there and published as a BCP.

Well, that's already a specifications-based "solution," i.e. better than 
nothing. I should have notice it before.

If you follow the "catastrophic failure mode" analysis, you soon realize 
 the equivalence between the failure mode that would trigger an 
emergency rollover and the very catastrophic failure mode (of the 
new-in-old and old-in-new procedure). Hence, not very secure. But you 
know because you are specifications-based.

My suspicion is that if you attempt to make it a standalone document, 
you start another round of discussions on better alternate solutions 
(because you make security limitations more conspicuous than they are 
now), falling again in the "security by management exhaustion" vicious 
circle.

But you (the community of which Max is representative by his question) 
do have a solution. Is there a need for a better slution? I guess not. 
(I actually think an equivalent procedure should be implemented in 
DNSSEC validating resolvers instead of comprehensive RFC5011 support, 
fulfilling the expectations of the vast majority of Internet users with 
respect to DNSSEC root key trustworthiness.)

Regards,

> Russ
>
> At 10:47 AM 4/2/2009, max pritikin wrote:
>
>
> > Hi folks,
> >
> > I'm looking for a normative reference describing how a CA would
> > 'rollover' to a new keypair or 'modified' certificate.
> >
> > RFC5280 includes the following statements about 'rollover', here
> > quoted with minimal context:
> >
> >    4.2.1.10 Name Contraints:
> >    "Name constraints are not applied to self-issued certificates
> > (unless
> >    the certificate is the final certificate in the path).  (This could
> >    prevent CAs that use name constraints from employing self-issued
> >    certificates to implement key rollover.)"
> >
> >    6.1. Basic Path Validation:
> >    "A certificate is self-issued if the same DN appears in the subject
> >    and issuer fields (the two DNs are the same if they match according
> >    to the rules specified in Section 7.1).  In general, the issuer and
> >    subject of the certificates that make up a path are different for
> >    each certificate.  However, a CA may issue a certificate to itself
> > to
> >    support key rollover or changes in certificate policies.  These
> >    self-issued certificates are not counted when evaluating path length
> >    or name constraints."
> >
> >    8.  Security Considerations:
> >    "Loss of a CA's private signing key may also be problematic.  The CA
> >    would not be able to produce CRLs or perform normal key rollover."
> >
> > But it does not include a recommended description of this rollover
> > process itself.
> >
> > RFC3647 does not mention rollover at all, although it does define
> > 'renewal' and 'rekey'.
> >
> > I can find informative discussions of rollover for various CA's
> > (thanks Google).
> >
> > Can somebody point me in the right direction? Is there a normative
> > reference or should I be able to infer the "correct" behavior from end
> > entity rekey discussions as per the above notes?
> >
> > Thank you,
> >
> > - max

--

- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site: http://www.connotech.com
e-mail: thierry.moreau@xxxxxxxxxxxxx