[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Offline Root CA with valid CRL hierachie

To: Roger Younglove <ryounglove@xxxxxxxxxxxxxxxxx>, "'Haaino Beljaars'" <beljaars@xxxxxxxxxxxx>, Mark Scherling <markscherling@xxxxxxx>
Subject: RE: Offline Root CA with valid CRL hierachie
From: "Joel S. Kazin" <jkazin@xxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 23 Dec 2002 11:12:10 -0500
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Yes, I did exactly that for a large oil and gas company. The cryptographic shares, n of m, are locked away under extensive controls designed to assure separation of duties and physical security.

At 09:17 AM 12/23/2002 -0500, Roger Younglove wrote:

The proper way would be to write the CP stating that the off line root will be brought up at a minimum of once a year to issue a CRL, in order to sign a new subordinate or issue a CRL for a subordinate.

Roger Younglove, CISSP
Principal Consultant
NetWorks Group
O. 810.225.4800 ex. 2245
M. 810.599.0879
E. ryounglove@xxxxxxxxxxxxxxxxx
www.networksgroup.com

-----Original Message-----
From: Haaino Beljaars [mailto:beljaars@xxxxxxxxxxxx]
Sent: Monday, December 23, 2002 6:36 AM
To: Mark Scherling
Cc: ietf-pkix@xxxxxxx
Subject: Re: Offline Root CA with valid CRL hierachie

> You can still publish a CRL for an off-line CA. You will need to
establish
> a fairly long expiry time for the CRL if you do not plan to bring the CA
> on-line often. In many cases the Root CA is off-line and only used to
issue
> new intermediary CAs or revoke intermediary CAs. You will need to
establish
> a very good procedure for startup and shutdown of the root CA (two person
> control, locked in a safe, two person combination on the safe, documenting
> each time the CA is removed, etc. ) The reason for documenting the
process
> is for audit purposes.
>
> You will also need to document in your CP that the CA is off-line and that
> the onus is on the relying party to verify that an intermediary CA is
still
> valid.

I agree that you still publish a valid CRL for an offline Root CA. The
problem is the following,
example: I issue an CRL with the Root CA with a validity of for example a
month, and after
issuing the CRL I take it offline. During that month, for example after two
weeks, one of the
intermediate CA's is compromised and I have to revoke that CA.
According to the specs I can only issue a CRL which has a validity time that
starts after
current one. This means in practise that I have a valid intermediate CA for
over two weeks,
but in reality that intermediate CA is revoked. How can I let everybody know
during that
two week period that the intermediate CA is compromised, taking in
account:"Conforming
applications are NOT REQUIRED to support processing of delta CRLs, indirect
CRLs, or CRLs
with a scope other than all certificates issued by one CA"?

Best regards,
Haaino

Senior Consultant
Technical Consulting Practice, Northeast Region
Schlumberger Network Solutions

jkazin@xxxxxxxxxxxxxxxxxxxxxx
www.slb.com/nws

35 Waterview Blvd.
Suite 210
Parsippany, NJ 07054-1200
USA

Phone +1 914-769-8780
Mobile +1 914-645-5598

References:
- RE: Offline Root CA with valid CRL hierachie
  - From: Roger Younglove

Prev by Date: Re: Offline Root CA with valid CRL hierachie
Next by Date: Re: Defense Messaging System Was: e-Government uses"Authority-stamp-signatures"
Previous by thread: RE: Offline Root CA with valid CRL hierachie
Next by thread: RE: Offline Root CA with valid CRL hierachie
Index(es):
- Date
- Thread