[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CA Rekey and CRL Validation

To: <ietf-pkix@xxxxxxx>
Subject: RE: CA Rekey and CRL Validation
From: "Santosh Chokhani" <chokhani@xxxxxxxxxxxx>
Date: Sat, 11 Sep 2004 08:42:55 -0400
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

If your relying parties plan to use MS CAPI, when you re-key a CA, change
its name.

If you plan to use other toolkits, make sure that they build the path to CRL
and match DNs one for one and in sequence (of the certification path to the
certificate and certification path to the CRL signer) ignoring self-issued
certificates, but including the DN of the two trust anchors for the two
paths.

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On
Behalf Of Luciano (Pessoal)
Sent: Friday, September 10, 2004 4:30 PM
To: ietf-pkix@xxxxxxx
Subject: CA Rekey and CRL Validation



Hi All,

	I have found the following sentence in a Microsoft's paper
(Troubleshooting Certificate Status and Revocation) and I suppose that it is
about the use of cRLIssuer on CRLs and certificates.

"... Important: The Windows operating system family can only verify a CRL
that was signed by the same private key used to sign the issued certificate.
The Windows operating system does not support CRLs signed by an entity other
than the CA that signed the issued certificate. ...."

    My doubt is: What would happen  in the case of a CA Rekey?

    I know by the item "5.1.1.3" from RFC 3280 that a CRL can be signed by a
different key used to sign certificates.
   
    But, I'm not sure how does this topic fit in the case of CA Rekey where
a CRL is signed with the newer key and the certificates being verified was
signed with the older.

    In the item "5.1.1.3" we have the text ".....Applications that perform
CRL checking MUST support certification path validation when certificates
and CRLs are digitally signed with the same CA private key.  These
applications SHOULD support certification path validation when certificates
and CRLs are digitally signed with different CA private keys."

    I think Microsoft is ok considering the validation of certificates and
CRLS signed with different CA private keys is an OPTIONAL feature (because
of SHOULD). Once, I ask you: What about CA Rekey?


    Thanks in advance,

    Luciano Coelho

PS: I'm not concerned about this possible "limitation" on Microsoft's CRL
validation process. I'm interested about how a CA REKEY can interfere with
CRL check/validation.

References:
- CA Rekey and CRL Validation
  - From: Luciano (Pessoal)

Prev by Date: RE: On cross-certificates and pathLenConstraint
Next by Date: RE: CA Rekey and CRL Validation
Previous by thread: RE: CA Rekey and CRL Validation
Next by thread: RE: CA Rekey and CRL Validation
Index(es):
- Date
- Thread