[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Conclusions: CA Rekey and CRL Validation

To: "Luciano \(Pessoal\)" <mentes@xxxxxxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: RE: Conclusions: CA Rekey and CRL Validation
From: "Alberti Antoine" <aalberti@xxxxxxxxx>
Date: Fri, 17 Sep 2004 17:21:53 +0200
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AcScyKU8etCB3DRoRva8O839UhJAfwAATzbg
Thread-topic: Conclusions: CA Rekey and CRL Validation

Because a CA MAY change DN when renewing its key ?

> -----Message d'origine-----
> De : owner-ietf-pkix@xxxxxxxxxxxx
> [mailto:owner-ietf-pkix@xxxxxxxxxxxx]De la part de Luciano (Pessoal)
> Envoyé : vendredi 17 septembre 2004 16:59
> À : ietf-pkix@xxxxxxx
> Objet : Conclusions: CA Rekey and CRL Validation
> 
> 
> 
> After all this discursion, it is correct affirm:
> 
> 1) To do a CA-Rekey it is not necessary change the CA's DN.
> 
> 2) The "newer CA" can issue CRLs that contain revocation informations
> about all the certificates issued using the new and the old key.
> 
> 3) It is not necessary mantain the older CA key for issuing CRLs that
> contain only revocation informations about certificates 
> issued using the
> old key (neither containing revocation info about 
> certificates issued by
> the "newer CA").
> 
> 4) A certificate issued by the "older CA" can be validated 
> using the CRL
> issued by the "newer CA", without be considered a security problem.
> 
> 5) For all the aspects of X509 and RFC 3280, the "newer CA" and the
> "older CA" are considered the SAME CA.
> 
> 
> Thank you,
> 
> Luciano Coelho
> 
>

Prev by Date: Conclusions: CA Rekey and CRL Validation
Next by Date: RE: Conclusions: CA Rekey and CRL Validation
Previous by thread: Re: Conclusions: CA Rekey and CRL Validation
Next by thread: SCVP: CVResponse Tags Confliction
Index(es):
- Date
- Thread