[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Dedicated CRL signing keys

To: Santosh Chokhani <chokhani@xxxxxxxxxxxx>
Subject: RE: Dedicated CRL signing keys
From: "Housley, Russ" <rhousley@xxxxxxxxxxxxxxx>
Date: Fri, 27 Apr 2001 08:58:35 -0400
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>

Yes. So, I guess we agree.

At 04:47 PM 4/26/2001 -0400, Santosh Chokhani wrote:

Russ: Will a CA that signs the certificates and CRLs using different keys, but same Issuer DN be considered compliant? If yes, then we agree.

-----Original Message-----
From: Housley, Russ [mailto:rhousley@xxxxxxxxxxxxxxx]
Sent: Thursday, April 26, 2001 4:36 PM
To: Santosh Chokhani
Cc: ietf-pkix@xxxxxxx
Subject: RE: Dedicated CRL signing keys

Santosh:

Optional is sufficient. It should NOT be mandatory to have separate signing keys for certificates and CRLs.
Thanks. I think we agree.

If CAs issue CRLs, then the CA can sign certificates and CRLs with the same key, or the CA can use separate keys.

Certificate-using applications must be able to handle certificates and CRLs signed by the same key. Certificate-using applications may handle CRLs signed by a different key than the certificates.

If you agree with this position, then we agree.

Russ

Follow-Ups:
- Re: Dedicated CRL signing keys
  - From: David P. Kemp

References:
- RE: Dedicated CRL signing keys
  - From: Santosh Chokhani

Prev by Date: [no subject]
Next by Date: RE: delta-CRLs and NR
Previous by thread: RE: Dedicated CRL signing keys
Next by thread: Re: Dedicated CRL signing keys
Index(es):
- Date
- Thread