[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CA Rekey and CRL Validation

To: <ietf-pkix@xxxxxxx>
Subject: RE: CA Rekey and CRL Validation
From: "Santosh Chokhani" <chokhani@xxxxxxxxxxxx>
Date: Sat, 11 Sep 2004 12:51:46 -0400
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Dave:

You can keep the old CA name, if you do one of the following (there may be
other options also).

1.  Assert different CRL DP and put the matching IDP in the CRL of the two
sets of certificates; or

2.  Put all the certificates on the revoked list, but issue two CRLs, one
signed with the old key and the other one signed with the new key.  Both
CRLs will have the same and complete list of revoked certificates.

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx]
On Behalf Of David Engberg
Sent: Saturday, September 11, 2004 9:47 AM
To: Santosh Chokhani
Cc: ietf-pkix@xxxxxxx
Subject: Re: CA Rekey and CRL Validation



Right ... that's what I meant by "with a new CRLdp", but I should have
spelled it out more explicitly.

One clarification from your other email:  if I use a different CRL DP in
the new certs, I may keep the same CA subject name for the new CA
certificate, correct?


Santosh Chokhani wrote:
> David Engberg:
>
> I do not know if you meant it or not, but the CA name must change,
> else the two sets of certificates and two CRLs must be issued using
> appropriate CRL DP and IDP respectively.  Otherwise, you will break
> the security and be not compliant with the standards.
>
> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx
> [mailto:owner-ietf-pkix@xxxxxxxxxxxx]
> On Behalf Of David Engberg
> Sent: Friday, September 10, 2004 11:23 PM
> To: Luciano (Pessoal)
> Cc: ietf-pkix@xxxxxxx
> Subject: Re: CA Rekey and CRL Validation
>
>
>
> I would bet that most certificate-enabled software will not properly
> discover or process a separate CRL-signing certificate.  Section
> 5.1.1.3 specifically warns that this practice "imposes a burden on
> applications, and it might limit interoperability."
>
> Interoperability is easiest if you treat a "rekey" as an issuance of a
> separate cross-trusted CA.  Continue to issue a CRL for the old certs
> using the old key until all old certs have expired.  Issue a separate
> CRL for new certs (with a new CRLdp) using the new key.  This
> generates two CRLs instead of one, but the total size is the basically
> the same.
>
> This means, of course, that you have to keep the old key around for a
> little while until its old issued certs expire.
>
>
> Luciano (Pessoal) wrote:
>
>>"... Important: The Windows operating system family can only verify a
>>CRL that was signed by the same private key used to sign the issued
>>certificate. The Windows operating system does not support CRLs signed
>>by an entity other than the CA that signed the issued certificate.
>>...."
>
> ...
>
>
>>    I think Microsoft is ok considering the validation of certificates
>>and CRLS signed with different CA private keys is an OPTIONAL feature
>>(because of SHOULD). Once, I ask you: What about CA Rekey?

Attachment: smime.p7s
Description: S/MIME cryptographic signature

References:
- Re: CA Rekey and CRL Validation
  - From: David Engberg

Prev by Date: Re: CA Rekey and CRL Validation
Next by Date: Re: CA Rekey and CRL Validation
Previous by thread: Re: CA Rekey and CRL Validation
Next by thread: Re: CA Rekey and CRL Validation
Index(es):
- Date
- Thread