Sort of a follow-up to my previous message--
Wanted to make sure CML support a PKI topology currently in use in the
Federal space... I'm working on arranging an experiment for this, but
thought maybe someone might be able to provide me assurance more quickly
than I can arrange for all the necessary cross-certs to be updated..
In the FBCA, a "key roll-over" technique is being used; this means that
CA's will have multiple self-signed certificates with the same
issuer/subject DN's, but different validity periods and different auth
subj key ID fields.
"link certs" (really single-direction cross-certs) are used to tie the
"old" and "new" certs together.
All the old, new, and link certs are posted as "caCertificate;binary" in
the directories, and the CA really comes basically a mesh of certs.
Some of the problems I've been having with CML seem to be associated with
the fact that a certificate that was selected as matching a CRL based on
DN ends up not matching when the CRL's auth Key ID is tested against the
cert's subject key ID.
So the question is-- will CML be confused by this arrangement where
multiple certs exist with the same issuer/subject pair, but different key
ID's...?
Thanks & best regards,
- Ken Stillson
--
| Ken Stillson | stillson@xxxxxxxxxxxx |
| Sr. Principal Engineer | voice: (703) 610-2965 |
| Mitretek Systems | fax: (703) 610-2399 |