[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Conclusions: CA Rekey and CRL Validation

To: ietf-pkix@xxxxxxx
Subject: Re: Conclusions: CA Rekey and CRL Validation
From: "Santosh Chokhani" <chokhani@xxxxxxxxxxxx>
Date: Sat, 18 Sep 2004 18:18:47 -0400
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <> <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Luciano:

You can verify the CRL2.  The only reason to sign with the old key is to 
accommodate those PK enabled clients who reqire the certificate and CRL to 
be signed using the same key, e.g., MS CAPI.

On Sat, 18 Sep 2004 17:00:52 -0300, Luciano (Pessoal) wrote
> Not considering the "feature" implemented by MS. 
> 
>     We have the chain below for the end entity certificate "EE_X".
>        TA->CA1->CA2->EE_X (where TA is considered a trust anchor).
> 
>     CA2 is rekeyed and a new certificate, CA2', is generated for it with
> the same DN.
> 
>     After the rekey, CA2 issues a CRL "CRL2". The certification path 
> for this CRL is:       TA->CA1->CA2'->CRL2
> 
>     "CRL2" has revocation informations about all certificates issued 
> by "CA2" and " CA2' " certificates.
> 
>     "CRL2" doesn't have IDP extension.
> 
>     My doubts are:
> 
> 1) Following the algorithm
> (http://www.imc.org/ietf-pkix/mail-archive/msg03268.html) proposed by
> Santosh, Can I use the CRL "CRL2" to verify the certificate "EE_X"?  
> If no, why?
> 
> 2) If I can do the verification above, as I suppose, Why need I  
> issue CRLs using the old key (associated with CA2)?
> 
>     Thanks in advance.
> 
>     Luciano Coelho
>    
> Santosh Chokhani wrote:
> 
> >See responses in-line in [].
> >
> >-----Original Message-----
> >From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx] 
On
> >Behalf Of Luciano (Pessoal)
> >Sent: Friday, September 17, 2004 10:59 AM
> >To: ietf-pkix@xxxxxxx
> >Subject: Conclusions: CA Rekey and CRL Validation
> >
> >
> >
> >After all this discursion, it is correct affirm:
> >
> >1) To do a CA-Rekey it is not necessary change the CA's DN.
> >
> >[MS CAPI will require that a CRL be signed using all the keys that
> >certificates were issued with and have not expired]
> >
> >2) The "newer CA" can issue CRLs that contain revocation informations 
about
> >all the certificates issued using the new and the old key.
> >
> >[It is the same CA.  It is not a different CA.  So, the term "newer CA" 
does
> >not make sense]
> >
> >3) It is not necessary mantain the older CA key for issuing CRLs that
> >contain only revocation informations about certificates issued using the 
old
> >key (neither containing revocation info about certificates issued by the
> >"newer CA").
> >


> >[Again, newer CA does not make sense.  If you do this, MS CAPI will not
> >verify the paths for older certificates]
> >
> >4) A certificate issued by the "older CA" can be validated using the CRL
> >issued by the "newer CA", without be considered a security problem.
> >
> >[Again, the terms newer and older are inappropriate]
> >
> >5) For all the aspects of X509 and RFC 3280, the "newer CA" and the "older
> >CA" are considered the SAME CA.
> >
> >
> >Thank you,
> >
> >Luciano Coelho
> >
> >
> >
> >  
> >

References:
- RE: Conclusions: CA Rekey and CRL Validation
  - From: Santosh Chokhani
- Re: Conclusions: CA Rekey and CRL Validation
  - From: Luciano (Pessoal)

Prev by Date: Re: Conclusions: CA Rekey and CRL Validation
Next by Date: RE: CA Rekey and CRL Validation
Previous by thread: Re: Conclusions: CA Rekey and CRL Validation
Next by thread: Re: Conclusions: CA Rekey and CRL Validation
Index(es):
- Date
- Thread