[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: about Intermediate CA CRLs

To: Enrique Velasco <enrique.velasco@xxxxxxxxxx>
Subject: Re: about Intermediate CA CRLs
From: Denis Pinkas <Denis.Pinkas@xxxxxxxx>
Date: Mon, 12 Aug 2002 12:27:01 +0200
Cc: ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Bull SA.
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Enrique,

> Should an Intermediate CA Certificate include the CRL Distribution Point
> Extension?
 
> One might want to revoke an Intermediate CA Certificate if there's a key
> compromise, therefore publishing a CRL, but that would be completely useless
> if no one's checking it, so my first answer to my own question would be YES.
> 
> Then I wonder how can this be done, as the Root CA key should be off-line,
> as recommended.

RFC 3280 states: The CRL is signed using the CRL issuer's private key;

   The cRLDistributionPoints extension is a SEQUENCE of
   DistributionPoint.  A DistributionPoint consists of three fields,
   each of which is optional: distributionPoint, reasons, and cRLIssuer.
   While each of these fields is optional, a DistributionPoint MUST NOT
   consist of only the reasons field; either distributionPoint or
   cRLIssuer MUST be present.  If the certificate issuer is not the CRL
   issuer, then the cRLIssuer field MUST be present and contain the Name
   of the CRL issuer.  

This means that CRLs can be signed by a key different from the CA key.
To achieve that goal, the CA needs to issue a certificate to the CRL Issuer.
 
> I've noticed that only a few Intermediate CA Certificates include a CRL
> Distribution point, and those CRL are valid for several months. So I Imagine
> that issuing such CRL must be a manual (i.e.. not automated) process, done
> only when there is the urge to revoke the Intermediate CA Certificate.

Some products do not support CRL issuers with a key different from the CA
key, but if you want to keep the CA key as "off-line" as possible, RFC 3280
provides you with a solution.

> Any thoughts?
> 
> again,
> 
> Should an Intermediate CA Certificate include the CRL Distribution Point
> Extension?
> and how can this be done?

It is highly advisable to include in every certificate either a CDP
extension or an AIA extension, so that in an "Open PKI" any relying party
may know where to fetch the revocation status information (CRLs or OCSP
responses).

Denis  
 
>         Enrique Velasco
>         Acepta.com

References:
- about Intermediate CA CRLs
  - From: Enrique Velasco

Prev by Date: Re: RFC3161 Timestamping AlgorithmIdentifiers
Next by Date: RE: Certificate Path Validation
Previous by thread: about Intermediate CA CRLs
Next by thread: Re: Objections Raised by the IESG on the Roadmap document
Index(es):
- Date
- Thread