[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CA Rekey and CRL Validation

To: "Laudon Williams" <eldub@xxxxxxxxx>
Subject: RE: CA Rekey and CRL Validation
From: Stephen Kent <kent@xxxxxxx>
Date: Sun, 19 Sep 2004 17:22:47 -0400
Cc: <ietf-pkix@xxxxxxx>
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

At 3:40 PM -0700 9/14/04, Laudon Williams wrote:

So just to finalize this (feel free to rebut Steve)...

When faced with CA expiration, you have two choices. You can either;
- Rollover the key (same name, new key), or;
- Rollover the CA (new name, new key).

the second case is not "rollover" because the CA name changed and, according to X.509 and PKIX, the new name represents a new CA. the term "key rollover" is used to refer to a key change where the name of the subject stays constant, whether the context is an EE or a CA.

Steve

References:
- RE: CA Rekey and CRL Validation
  - From: Laudon Williams

Prev by Date: Re: Conclusions: CA Rekey and CRL Validation
Next by Date: RE: On cross-certificates and pathLenConstraint
Previous by thread: RE: CA Rekey and CRL Validation
Next by thread: Re: CA Rekey and CRL Validation
Index(es):
- Date
- Thread