Re: [IETF-PKIX] Multiple certificates for same key?

["Balluffi, Frank" <BalluffiF@xxxxxxxxxx>]

There are many reasons to issue multiple certificates per public key
(see example below).

There are also many reasons to only issue one certificate per public
key. For example, suppose a corporation provides a cryptographic token
capable of holding one key pair to each employee and institutes a policy
of only allowing the token to be used for corporate business. One method
of enforcing this policy might be to only permit one certificate to be
issued per public key. This method would disallow the public key to be
bound to the employee's corporate name (e.g., C=US, O=XYZ, CN=John
Smith) and personal name (e.g., C=US, ST=IL, L=Chicago, CN=John Smith).

It seems to me that the question of how many certificates per public key
is a policy question, not a technical question.

Frank Balluffi
CertCo LLC
balluffif@certco.com

> -----Original Message-----
> From: Stephen Kent [SMTP:kent@BBN.COM]
> Sent: Wednesday, March 04, 1998 9:22 AM
> To:   IETF-PKIX@LISTS.TANDEM.COM
> Subject:      Re: [IETF-PKIX] Multiple certificates for same key?
>
> Bob,
>
> Ignoring issues of non-repudiation (for which only some certs may be
> employed), it may be reasonable for two certs to hold the same public
> key.
> For example, A CA may choose to have a short validity interval to ease
> CRL
> management, but not require users to generate and transmit new key
> pairs to
> match the interval.  In that case, the CA can merely re-certify the
> old key
> and reissue a cert with a new serial number and the same name, and
> probably
> all the other attributes would be the same as well.
>
> Steve