Re: Online Certificate Revocation Protocol

[Marc Branchaud <marcnarc@xxxxxxxxxxxxxxx>]

Tony Bartoletti wrote:
> 
> At 12:01 PM 6/11/01 -0400, Santosh Chokhani wrote:
> >Revocation of a public key certificate whose companion key has been
> >destroyed is a BAD idea.
> >
> >For example, if the subject of the key is a CA, revocation of that public
> >key certificate could cause denial of service for all the certificates
> >issued by that CA.  There is nothing wrong with the certificates.
> 
> I admit I'm on the fence here, but one should be able to "revoke the
> certificate" only in terms that mean "any signatures created after that
> point are invalid", without interfering with the ability to use the public
> key to continue verifying previously signed objects.
> 
> This suggests that CAs (or someone) should provide an historical "was valid
> between" service.  This would mitigate the DoS issue.


<can contents="worms">

There could conceivably be a "key destroyed" revocation reason to handle this
situation.  The problem is that you can't tell from the validity period of a
certificate exactly when the CA issued that cert.  An honest CA will put
accurate validity periods in its certs, but if a CA's key is compromised then
the attacker can issue certs for any period of time.  Once compromised, the
certificate should be properly revoked.

So here's a proposal:

If a key (CA's or otherwise) is destroyed, place the certificate on a CRL
with a "key destroyed" reason.  This indicates that any certificates issued
by that key on or after the time of destruction should be considered invalid.

If, before the key's certificate expires, the key is actually compromised,
issue a new CRL with a "key compromised" revocation reason.  This fully
revokes the certificate, with all that implies.

</can>

		Marc