RE: Conclusions: CA Rekey and CRL Validation

["Santosh Chokhani" <chokhani@xxxxxxxxxxxx>]

See responses in-line in [].

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On
Behalf Of Luciano (Pessoal)
Sent: Friday, September 17, 2004 10:59 AM
To: ietf-pkix@xxxxxxx
Subject: Conclusions: CA Rekey and CRL Validation



After all this discursion, it is correct affirm:

1) To do a CA-Rekey it is not necessary change the CA's DN.

[MS CAPI will require that a CRL be signed using all the keys that
certificates were issued with and have not expired]

2) The "newer CA" can issue CRLs that contain revocation informations about
all the certificates issued using the new and the old key.

[It is the same CA.  It is not a different CA.  So, the term "newer CA" does
not make sense]

3) It is not necessary mantain the older CA key for issuing CRLs that
contain only revocation informations about certificates issued using the old
key (neither containing revocation info about certificates issued by the
"newer CA").

[Again, newer CA does not make sense.  If you do this, MS CAPI will not
verify the paths for older certificates]

4) A certificate issued by the "older CA" can be validated using the CRL
issued by the "newer CA", without be considered a security problem.

[Again, the terms newer and older are inappropriate]

5) For all the aspects of X509 and RFC 3280, the "newer CA" and the "older
CA" are considered the SAME CA.


Thank you,

Luciano Coelho