[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Name changes and certificates

To: jduffy@xxxxxxx, peter@xxxxxxxxxxxx
Subject: Name changes and certificates
From: Bob Jueneman <BJUENEMAN@xxxxxxxxxx>
Date: Thu, 11 Sep 1997 16:19:51 -0600
Cc: ietf-pkix@xxxxxxxxxx

>Corporate mergers of this sort are, of course, common.

Been there, done that!  Remember Contel?  Unfortunately, all too often, once
the pig passes through the python, there isn't much left of the pig. It will
be interesting to see what happens.

>Lets say BBN has issued 50,000 certs to employees, and GTE corporate
>dictum now wanted to change everyone over to [a-z]*@bbn.gte.com. (I
>do not know if they do or do not.)
>
>Obviously one way to do it is to revoke and reissue all certs (and
>handle 50,000 tokens if token-based).

First of all, there is no particularly good reason (other than perhaps
image) to revoke any of the existing certificates.  Whatever legal
implications might have existed would be carried forward under the
successors and assigns clause in any case.
>
>Another way is to revoke the BBN CA(s), and start again with
>new trust points.
>
>How would PKIX technology migrate folk intelligently? A policy mapping, or
>name mapping in a renewed BBN CA certificate, perhaps?
>
>This is a fun topic, after all the recent fuss. It will
>not be long before someone has to deal with precisely
>this scenario.
>
In general, I am highly suspicious of any attempt to reuse a key pair by
including a previously used public key in a certificate.

But mergers are one particular example where this is harmless and cost
effective.  Assuming, as I stated without proof, that there is no legal
difference (just as there is no legal difference that I know of whether a
woman uses her maiden name or married name -- she is still the same person,
and still liable for her personal signature), all that would be required
would be for the root CA to issue a new certificate to BBN/GTE containing
the old BBN CA's key. Then the BBN/GTE CA would run a batch process to
extract all of the public keys from all of the old certificates and issue
new certificates containing the same public keys.

The users could pick them up at their leisure from a convenient directory
(we'd be happy to sell them NDS, for example :-) or other distribution
point, and start using them whenever.

You really wouldn't want to revoke the old certificates, because of the
possible ambiguity and confusion that would be caused with respect to
previously signed documents.  You probably don't throw out all of the
letterhead and business cards overnight either, and you certainly don't tear
up the existing contracts.

I would assume that anyone who aspires to be in the CA business, and
especially anyone who aspires to be in the corporate CA-toolkit business,
would include a mechanism for more or less automatically reissuing
certificates when corporations, divisions, departments, and individuals
change names.

Note that in particular this approach doesn't require anything be done to
the tokens at all, since the private keys haven't changed.

Change is the only steady-state condition!

Bob

Prev by Date: PKIX Part I - Name Constraints
Next by Date: PKIX-3 Extensibility
Previous by thread: PKIX Part I - Name Constraints
Next by thread: PKIX-3 Extensibility
Index(es):
- Date
- Thread