Re: [IETF-PKIX] Multiple certificates for same key?

[Stephen Kent <kent@xxxxxxx>]

Andreas,

>> I haven't had the time to browse through all the different latest
>>drafts, I'm
>> afraid. Having had some discussions concerning the German digital signature
>> law, however, a question occured to me: Is a CA allowed to issue two (or
>> more) certificates for a single end-entity's public key? If yes, this could
>> lead to big problems, especially in terms of liability of the CA. If
>> not, shouldn't this be specified somewhere?
>>From a technical point of view, there is no reason why it should be
>defined whether issuing several certificates for a single public key.
>The problem simply is that if you have two certificates with the same
>key available you cannot distinguish which one was used to produce the
>signature. To accomplish that you would have to name the certificate
>inside the document that was signed. This way, you can make sure that
>the signer chose the correct context (certificate) to sign the document.
>
>This whole scheme fails once the secret key is retrieved. Then anybody
>can use any of the two certificates. And what do you do if only one of
>the certificates is revoked, the other is not? Then it is important, why
>the certificate was revoked (a formal reason or a key compromise).
>
You are right that using the same key in two or more certs implies a need
to revoke all of them in the case of a compromise.  You and others are also
right that certain instances of reusing a key have significant adverse
effects, especially with regard to non-repudiation.  However, not all uses
of certs are for NR and there are legitimate circumstances for reuse, thus
I would not expect PKIX to preclude such reuse, though inclusion of a
suitable warning is not unreasonable.

Steve