Re: CA Rekey and CRL Validation

[Jean-Marc Desperrier <jmdesp@xxxxxxx>]

David A. Cooper wrote:

> Here are a few quotes from X.509:
>
>   1.
>
>       Section 7: "NOTE 1 – Although the _CAs are unambiguously defined
>       by a distinguished name_
[...]

> However, these arguments always start with the assumption that one is 
> operating in a PKI in which there are multiple, independent CAs, all 
> of which are considered to be valid CAs in the infrastructure and all 
> of which have the same name. However, in a valid PKI, two different 
> CAs will not have the same name. [...]

I think it's not really a question that they have to be considered valid CA.

The point is in an internet environement, you take an active decision 
when you start accepting a new root, but then you are vulnerable to 
whatever that root does (you can decide to remove it, but it will happen 
only *after* you know it did something inadequate).

And in an open environement, just telling to a root to never emit a CA 
certificate whose distinguished name is not unambiguous with other 
independant CA is not an absolute garantee it will never happen. Even 
unintentionally.

So it may be OK for X.509, but pkix can not say "all CA will emit 
unambiguous distinguished name", and then go on opening security 
breaches if it ever occurs.