I would like to consider including the option to have an entity other than a "cert issuing authority" to sign CRLs. In cases where a Root CA needs to issue certificates infrequently (such as we have at Identrus), but needs to issue CRLs much more frequently, there seems to be a case to have different certificates for these purposes. I don't want to rule out having this option. If we define that having the CA bit set means the capability to issue certificates, this CRL signing entity should not have that bit set. Is it specifically stated somewhere that the assertion of the CA bit is defined as certificate issuance capability? My old X.509 (97) defines a CA as: An authority trusted by one or more users to create and assign certificates. 2459 doesn't provide any more help.
Regards,
Dave Oshman
-----Original Message-----
David,
>Steve,
>
>Stephen Kent wrote:
>
>> I see there is considerable
>> sentiment to allow for non-CA flagged entities to sign CRLs, but I'm
>> not yet sure I understand why folks consider it important to not turn
>> on the CA flag in certs for such entities. After all, since we have
>> separate key usage bits for cert and CRL signing, we can construct a
>> cert for an entity that signs CRLs and not grant that entity the
>> ability to sign certs, if we so desire.
>>
>
>I don't think so. From Section 4.2.1.10:
>
>"If the cA bit is asserted, then the keyCertSign bit in the key
>usage extension
>(see 4.2.1.3) MUST also be asserted."
Good point; I missed that one!
So, if we adhere to this constraint we can't have an entity labelled
as a CA but restricted to issuing only CRLs. So, we need to
reconcile the various parts of the document to have a consistent,
well-defined description of what folks can/should do to separate out
CRL signing from cert signing.
Steve