[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Dedicated CRL signing keys

To: ietf-pkix@xxxxxxx, "Russell Housley (E-mail)" <rhousley@xxxxxxxxxxxxxxx>
Subject: RE: Dedicated CRL signing keys
From: Santosh Chokhani <chokhani@xxxxxxxxxxxx>
Date: Tue, 24 Apr 2001 08:54:47 -0400

Title: RE: Dedicated CRL signing keys

Russ:

One of your comments yesterday was that we can make a choice between simpler client and operational security when I said that some implementations require separate CRL signing keys for operational security reasons.

While I agree with you that this is a trade-off an enterprise needs to make. But, I think the Internet RFC should not make such a choice. I am saying that the RFC should permit both: simple client (same key for certificate and CRL signing) as well as different keys for certificate and CRL signing.

PKIX working group is after all, all about security. We should not say that a secure implementation is not compliant with PKIX.

Follow-Ups:
- RE: Dedicated CRL signing keys
  - From: Housley, Russ

Prev by Date: RE: Dedicated CRL signing keys
Next by Date: RE: delta-CRLs (was Re: Last Call: draft-ietf-pkix-new-part1-06.txt comments)
Previous by thread: RE: Dedicated CRL signing keys
Next by thread: RE: Dedicated CRL signing keys
Index(es):
- Date
- Thread