Marc Jadoul wrote: > Ok, but may be there is a solution (that i never tried and it might be > uncompatible with lot of existing software.) : > > If i understand well, you do not want to have your CA keys online for > security reason ? Or more precisely, you do not want to have some key > online, because this key is able to sign certificates which would be > verified by the CA certificate you published ... ? Unfortunately the only way to be SURE the key is secure from net-attacks is to unplug the CA... (actually...). > But if you generate a second key for your CA, and use this key ONLY for > signing CRL, you can achieve what you want. > > Of course you need to sign a CA certificate for this new key. This > certificate would be signed by your main (old) CA key, but you would use > a keyUsage extension with only the crlSign bit set. Thus this > certificate can not be used to verify certificates but can be used to > verify CRLs. > > It would be reasonably safe to have the second CA key online. At least > it is as safe as what you can get with online signing of revocation > status. > > Note that you probably also need the keyid extension also to help > software to find the good CA certificate. > > Let me know if you think it is possible in real life. > > Marc I am interested in developing a CA that currently available software will support. Many sent in the proposal to have a second key-pair on-line for CRL signing. However, my question is: do current browsers support this feature ??? Will them correctly import the CRLs signed and verify certificates against it ??? Does anyone have tried so far such an approach to the problem? C'you, Massimiliano Pala (madwolf@openca.org)
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature