[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Dedicated CRL signing keys

To: ietf-pkix@xxxxxxx
Subject: Re: Dedicated CRL signing keys
From: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>
Date: Mon, 30 Apr 2001 11:52:57 -0400
References: <>
Sender: dpkemp@xxxxxxxxxxxxxxxxxxxxxxx

If certificate-using applications MAY handle CRLs signed by a different key
than the certificates, then CAs have no real ability to exercise that option.

I believe:

Certificate-using applications SHOULD handle CRLs signed by a different key
than the certificates.

Dave



"Housley, Russ" wrote:
> Yes.  So, I guess we agree.
> 
> At 04:47 PM 4/26/2001 -0400, Santosh Chokhani wrote:
> > Russ: Will a CA that signs the certificates and CRLs using different keys,
> > but same Issuer DN be considered compliant?  If yes, then we agree.
> >
> > From: Housley, Russ [mailto:rhousley@xxxxxxxxxxxxxxx]
> > > Certificate-using applications must be able to handle certificates and CRLs
> > > signed by the same key.  Certificate-using applications may handle CRLs
> > > signed by a different key than the certificates.
> > >
> > > If you agree with this position, then we agree.
> > >
> > > Russ

Follow-Ups:
- Re: Dedicated CRL signing keys
  - From: Housley, Russ

References:
- RE: Dedicated CRL signing keys
  - From: Housley, Russ

Prev by Date: Re: keyCertSign and cRLSign Key Usage Bits
Next by Date: Re: delta CRL security considerations
Previous by thread: RE: Dedicated CRL signing keys
Next by thread: Re: Dedicated CRL signing keys
Index(es):
- Date
- Thread