[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Conclusions: CA Rekey and CRL Validation

To: ietf-pkix@xxxxxxx
Subject: Re: Conclusions: CA Rekey and CRL Validation
From: "Luciano (Pessoal)" <mentes@xxxxxxxxxxx>
Date: Sat, 18 Sep 2004 17:00:52 -0300
Cc: Santosh Chokhani <chokhani@xxxxxxxxxxxx>
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla Thunderbird 0.7.3 (X11/20040803)


    Not considering the "feature" implemented by MS. 

    We have the chain below for the end entity certificate "EE_X".
       TA->CA1->CA2->EE_X (where TA is considered a trust anchor).

    CA2 is rekeyed and a new certificate, CA2', is generated for it with
the same DN.

    After the rekey, CA2 issues a CRL "CRL2". The certification path for
this CRL is:
       TA->CA1->CA2'->CRL2

    "CRL2" has revocation informations about all certificates issued by
"CA2" and " CA2' " certificates.

    "CRL2" doesn't have IDP extension.

    My doubts are:

1) Following the algorithm
(http://www.imc.org/ietf-pkix/mail-archive/msg03268.html) proposed by
Santosh, Can I use the CRL "CRL2" to verify the certificate "EE_X"?  If
no, why?

2) If I can do the verification above, as I suppose, Why need I  issue
CRLs using the old key (associated with CA2)?

    Thanks in advance.

    Luciano Coelho
   
Santosh Chokhani wrote:

>See responses in-line in [].
>
>-----Original Message-----
>From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On
>Behalf Of Luciano (Pessoal)
>Sent: Friday, September 17, 2004 10:59 AM
>To: ietf-pkix@xxxxxxx
>Subject: Conclusions: CA Rekey and CRL Validation
>
>
>
>After all this discursion, it is correct affirm:
>
>1) To do a CA-Rekey it is not necessary change the CA's DN.
>
>[MS CAPI will require that a CRL be signed using all the keys that
>certificates were issued with and have not expired]
>
>2) The "newer CA" can issue CRLs that contain revocation informations about
>all the certificates issued using the new and the old key.
>
>[It is the same CA.  It is not a different CA.  So, the term "newer CA" does
>not make sense]
>
>3) It is not necessary mantain the older CA key for issuing CRLs that
>contain only revocation informations about certificates issued using the old
>key (neither containing revocation info about certificates issued by the
>"newer CA").
>
>[Again, newer CA does not make sense.  If you do this, MS CAPI will not
>verify the paths for older certificates]
>
>4) A certificate issued by the "older CA" can be validated using the CRL
>issued by the "newer CA", without be considered a security problem.
>
>[Again, the terms newer and older are inappropriate]
>
>5) For all the aspects of X509 and RFC 3280, the "newer CA" and the "older
>CA" are considered the SAME CA.
>
>
>Thank you,
>
>Luciano Coelho
>
>
>
>  
>

Follow-Ups:
- Re: Conclusions: CA Rekey and CRL Validation
  - From: Santosh Chokhani
- Re: Conclusions: CA Rekey and CRL Validation
  - From: Jean-Marc Desperrier

References:
- RE: Conclusions: CA Rekey and CRL Validation
  - From: Santosh Chokhani

Prev by Date: Re: SCVP CertReply Status
Next by Date: Re: Conclusions: CA Rekey and CRL Validation
Previous by thread: RE: Conclusions: CA Rekey and CRL Validation
Next by thread: Re: Conclusions: CA Rekey and CRL Validation
Index(es):
- Date
- Thread