[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: question on multiple CA certs with the same DN

To: "Ken Stillson" <stillson@xxxxxxxxxxxx>, <imc-cml@xxxxxxx>
Subject: RE: question on multiple CA certs with the same DN
From: "Nicholas, Richard" <Richard.Nicholas@xxxxxxxxxxxxxxxx>
Date: Tue, 22 Oct 2002 12:20:10 -0400
List-archive: <http://www.imc.org/imc-cml/mail-archive/>
List-id: <imc-cml.imc.org>
List-unsubscribe: <mailto:imc-cml-request@imc.org?body=unsubscribe>
Sender: owner-imc-cml@xxxxxxxxxxxx
Thread-index: AcJwd0AsBY5Cgmv7Q6aORGYnX0pRHQJbduPg
Thread-topic: question on multiple CA certs with the same DN

Ken,

The CML was designed to handle the case where a CA could have an old and
a new key, as during key rollovers.

As part of releasing the CML v2.1.1 patch, we added an enhancement to
the CRL-selection algorithm to prioritize CRLs signed by the same public
key that signed the certificate being checked.  This enhancement, when
combined with the other bug fixes in the v2.1.1 patch, should eliminate
any problems you were seeing.

- Rich

> -----Original Message-----
> From: Ken Stillson [mailto:stillson@xxxxxxxxxxxx] 
> Sent: Thursday, October 10, 2002 12:04 PM
> To: IMC-CML mailing list
> Subject: question on multiple CA certs with the same DN
> 
> 
> 
> 
>   Sort of a follow-up to my previous message--
> 
>   Wanted to make sure CML support a PKI topology currently in 
> use in the
>   Federal space...  I'm working on arranging an experiment 
> for this, but
>   thought maybe someone might be able to provide me assurance 
> more quickly
>   than I can arrange for all the necessary cross-certs to be updated..
> 
>   In the FBCA, a "key roll-over" technique is being used; 
> this means that
>   CA's will have multiple self-signed certificates with the same
>   issuer/subject DN's, but different validity periods and 
> different auth
>   subj key ID fields.
> 
>   "link certs" (really single-direction cross-certs) are used 
> to tie the
>   "old" and "new" certs together.
> 
>   All the old, new, and link certs are posted as 
> "caCertificate;binary" in
>   the directories, and the CA really comes basically a mesh of certs.
> 
> 
>   Some of the problems I've been having with CML seem to be 
> associated with
>   the fact that a certificate that was selected as matching a 
> CRL based on
>   DN ends up not matching when the CRL's auth Key ID is 
> tested against the
>   cert's subject key ID.
> 
>   So the question is-- will CML be confused by this arrangement where
>   multiple certs exist with the same issuer/subject pair, but 
> different key
>   ID's...?
> 
>   Thanks & best regards,
> 
>     - Ken Stillson
> 
> -- 
>       |   Ken Stillson             |    stillson@xxxxxxxxxxxx    |
>       |   Sr. Principal Engineer   |    voice: (703) 610-2965    |
>       |   Mitretek Systems         |      fax: (703) 610-2399    |
> 
>

Prev by Date: RE: found and fixed allocation problem in SRL_ldap.c
Next by Date: CML v2.1.1 Patch Now Available
Previous by thread: question on multiple CA certs with the same DN
Next by thread: question on intermediate CA extended key usage
Index(es):
- Date
- Thread