RE: Question: who signs a CRL if the CAcertificate, that signs it, is immediately revoked?

["Karim Ladhani" <kladhan1@xxxxxxxxx>]

Carolina,

Typically in a PKI the Root CA has multiple key pairs and their key usages
are split up (certificate signing,CRL signing,etc). So in the event that the
certificate signing key is compromised, it would still be able to sign the
CRL since it would use a different pair of keys to do so.

Karim Ladhani

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx
[mailto:owner-ietf-pkix@xxxxxxxxxxxx]On Behalf Of Simonato Carolina
Sent: Tuesday, September 04, 2001 10:42 AM
To: IETF-PKIX
Subject: Question: who signs a CRL if the CAcertificate, that signs it,
is immediately revoked?



Hello all!

Suppose a simple situation in which a certificate chain is constituted
only by two certificates: a trusted (by some important authority) root
certificate (self-signed) and an end-entity certificate, signed by that
root certificate.
The same root certificate also signs the certificate revocation list (a
unique crl that contains all revoked certificates- for all reasons).
The problem is: who signs the crl when the root certificate is
immediately revoked, because of, for example, cacompromise?
Probably it is necessary to create a new couple of keys (and so a new
root certificate) and sign the crl with the new  ca private key?
Or is it possible to create a couple of  CA keys to sign only
certificate revocation list and not to make provision for revoking this
last  ca root certificate?

I would like to riceive suggestions about this topic.
Thank you in advance.

regards
Carolina


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com