[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SET Root CA Extension

To: Stephen Kent <kent@xxxxxxx>
Subject: Re: SET Root CA Extension
From: Santosh Chokhani <chokhani@xxxxxxxxxxxx>
Date: Wed, 09 Jul 1997 13:31:36 -0400
Cc: Bob Jueneman <BJUENEMAN@xxxxxxxxxx>, ietf-pkix@xxxxxxxxxx

At 11:55 AM 7/9/97 -0400, Stephen Kent wrote:
>Bob,
>
>	I too would like to see the explanation for why inclusion of the
>hash of the next (root) CA public key is preferable to merely presigning
>the next cert for a (root) CA.  I have designed systems that adopted the
>presigning of the next cert approach, primarily as a response to loss of
>use of (vs. compromise of) the CA key.  I'm open to arguments why the
>approach adopted for SET is preferable, but I agree with Bob that we ought
>not adopt a new extension unless it is supported by a good argument as to
>why other methods, that don't require a new extension, are not
>equivalent/sufficient.
>
>Steve
>
>
>

Steve: I assume by presigning you mean use the current key to sign the next
key.  Assuming this, the hash has one advantage.  It allows for "in-band"
rekying of the root in the face of a compromise.  Those entities who have
received the current certificate and hence the hash of the next public key
before the current key was compromised, can use the hash to validate the
next certificate received over untrusted channels.

-------------------------------------------------
Santosh Chokhani
CygnaCom Solutions, Inc.
Suite 100 West
7927 Jones Branch Drive
McLean, Virginia 22102-3305
(703) 848 - 0883
chokhani@cygnacom.com

Follow-Ups:
- Re: SET Root CA Extension
  - From: Stephen Kent

Prev by Date: Re: SET Root CA Extension
Next by Date: Re: RE: SET Root CA Extension
Previous by thread: Re: SET Root CA Extension
Next by thread: Re: SET Root CA Extension
Index(es):
- Date
- Thread