[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PKIX Roadmap

To: Stefan Santesson <stefan@xxxxxxxxxxx>, Sean Turner <turners@xxxxxxxx>, PKIX <ietf-pkix@xxxxxxx>, "Arsenault, Al W." <awarsen@xxxxxxxxxxxxxx>
Subject: Re: PKIX Roadmap
From: Al Arsenault <aarsenault@xxxxxxxxxx>
Date: Tue, 22 Sep 1998 08:15:43 -0400
In-reply-to: <>
Sender: owner-ietf-pkix@xxxxxxx

At 06:25 AM 9/22/98 +0200, Stefan Santesson wrote:
>Al,
>
>Just a short reply to CA disaster (See below).
>
>Thanks for your reply, I still disagree to the disaster part.
>
>CA2 does not have to be dismanteled, since CA 2:s key is intact.
>What has to be done is that:
>- CA1 is rebuilt with new key
>- The compromise of CA1 and its new key has to be communicated with
>out-of-band means
>- CA1 cross certify CA2 (and other CA:s) using the new key
>- New cross certificates to CA1 has to be issued and published by other CA:s.
>
>Now all certificates issued by CA2 before the disaster of CA1 can be used
>and trusted.
>This since the disaster of CA1 didn't destroy CA2, just the link to CA2
>from CA1.
>
>/Stefan

Stefan,

	The more I think about this, the more I realize we agree.  It's the words
that need figuring out. Perhaps the words in the draft roadmap are too
strong; we'll have to think about that.

	First, let me note that when CA1 and CA2 are cross-certified - that is,
have a peer relationship, with neither subordinate to the other - I agree
with you about what happens when CA1's key is compromised.

	Now, let us assume that there is a hierarchical relationship - CA2 is
subordinate to CA1. This means to me that the trust anchor used by end
entities below CA2 is  not CA2 - it's CA1.  When CA1's key is discovered to
be compromised, what you do is:

	1 - communicate out of band the compromise. This means that CA2 and all
entities below it are essentially "out of action" temporarily; since CA1 is
the trust anchor, there's no way to construct a valid cert path

	2 - reconstitute CA1 with a new key;

	3 - get CA2's key to CA1 for certification (most likely through
out-of-band means). Yes, this can still be the same key; since CA2's key
wasn't compromised, it can still be used, and it will make things easier in
that you don't have to go re-signing end-entity certs with a new CA2 key.

Now, you're back in action.  

If you agree that this is right, we can figure out words that say that.
The point I wanted to convey is that the entire PKI is dead in this case
until CA1 is brought up and a new CA2 cert is signed, because you can't
construct a valid path back to a valid trust anchor.

(Of course, if trust anchor's compromised key happens to be on all
end-entity hardware tokens in a form that can't easily be changed, you've
still got a problem, but that's beyond the scope of PKIX :-)

				Al Arsenault

- the above opinions are my own.  They may or may not reflect the opinions
of my employer or of any other organization with which I have a relationship.

References:
- Re: PKIX Roadmap
  - From: Stefan Santesson

Prev by Date: RE: OCSP - Public Key Dstribution
Next by Date: text for attributes
Previous by thread: Re: PKIX Roadmap
Next by thread: Re: PKIX Roadmap
Index(es):
- Date
- Thread