[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Conclusions: CA Rekey and CRL Validation

To: ietf-pkix@xxxxxxx
Subject: Re: Conclusions: CA Rekey and CRL Validation
From: Jean-Marc Desperrier <jmdesp@xxxxxxx>
Date: Fri, 17 Sep 2004 19:52:26 +0200
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8a3) Gecko/20040818

Luciano (Pessoal) wrote:

2) The "newer CA" can issue CRLs that contain revocation informations about all the certificates issued using the new and the old key.

I don't like this 'can' :-)

It's ***MUST*** issue CRLs [...] about *ALL* the certificates issued using the new and the old key

3) It is not necessary mantain the older CA key for issuing CRLs that contain only revocation informations about certificates issued using the old key (neither containing revocation info about certificates issued by the "newer CA").

It's not necessary, but you may need it for applications that do not support verification of CRL with a key different from the key that signed the certificate.

In which case : The older CA key ***MUST*** issue CRLs [...] about *ALL* the certificates issued using the new and the old key

References:
- Conclusions: CA Rekey and CRL Validation
  - From: Luciano (Pessoal)

Prev by Date: RE: Conclusions: CA Rekey and CRL Validation
Next by Date: Re: CA Rekey and CRL Validation
Previous by thread: Re: Conclusions: CA Rekey and CRL Validation
Next by thread: RE: Conclusions: CA Rekey and CRL Validation
Index(es):
- Date
- Thread