RE: Open Issue in Part1: path length constraints

["David P. Kemp" <dpkemp@xxxxxxxxxxxxxxxxxxxxxxx>]

Steve,

I think of a "CA" as some people in a room with a Safekeeper.
If a CA wants to run its certificate signing functions on a machine
with no network connections, and it's CRL signing functions on a
network-connected machine, wouldn't that CA issue a certificate
to its CRL-signing key signed by its certificate-signing key?

If that certificate has cA=false, and keyCertSign=0 and cRLSign=1,
isn't the subject of the certificate "a conforming CA"?

When X.509 says "keyCertSign: for verifying a CA's signature on
certificates", doesn't "a CA" refer to the people with the signing
machine, not a public key in a certificate with cA=true?  

Regards,
Dave



From: Stephen Kent <kent@xxxxxxx>
> 
> The text avoids referring to a CA as the indirect CRL issuer at first,
> but then refers to conforming CAs in the last paragraph. If something
> other than a CA issues an indirect CRL, or any kind of CRL, then the
> wording used throughout 2459 seems to not apply to such an entity,
> because we almost always seem to come back to phrases like "if used by a
> fonforming CA ..." The best rationale I've usually heard for indirect
> CRLs has been for one CA to issue a CRL for another, e.g., if the latter
> CA looses the ability to issue CRLs to to destruction of its private
> key.
> 
> Steve