Re: Online Certificate Revocation Protocol

[Tony Bartoletti <azb@xxxxxxxx>]

At 03:47 PM 6/8/01 -0700, Hansen Wang wrote:


> > A question:  If one discovers that they have accidently destroyed their
> > private key (and there is no evidence of compromise), are they under any
> > particular obligation to request revocation?  Is there any liability, or
> > other real "downside" to simply getting a new key and keeping mum about the
> > fate of the former key?
>
> Assuming that the entity which lost their private key wanted another
> certificate with a new key pair but wanted the same name. What would
> happen if their were two certificates in existance with the same name?
> Wouldn't the CA not allow this? Or request documentation/proof (maybe
> out-of-band methods) of ownership of the name and then the CA would
> revoke the previous certificate base on the out-of-band proof and issue
> a new one with the same name?
>
> Hansen Wang <hansenw@xxxxxxxxxx>


I don't think so.  X.509 supports "key-implies-name".  You are suggesting 
that it also supports "name-implies-key".  I don't believe there is such a 
restriction in general (although a CA may decide per policy).

Is there some specific threat enabled if the key/name relation is many-to-one?

___tony___



Tony Bartoletti 925-422-3881 <azb@xxxxxxxx>
Information Operations, Warfare and Assurance Center
Lawrence Livermore National Laboratory
Livermore, CA 94551-9900