On 2009-12-16 05:08 PST, Daniel Joscak wrote: > Hi all, > > I found it here http://www.mozilla.org/projects/security/certs/policy/ > thank you very much for all the explanations, especially the one with the > "silent upgrade" by Jean-Marc.
The event that Jean-Marc named "silent upgrade" is more commonly known as "intermediate CA certificate renewal", I believe. It's not that uncommon. There's nothing wrong with a high level CA issuing a subordinate CA cert for a relatively short validity period (say, a year) and then "renewing" it each year after that. This has at least one advantage over giving the intermediate CA cert a very long validity period from the outset, namely that if that intermediate CA cert must ever be revoked, it will not need to be carried in the CRL for a long time because it will expire soon. > I still don't understand Mozilla's requirement in case "silent" upgrade is > not required (furthermore, prohibited by some other regulations) and if we > are careful about the dates of expirations of the CA's and end's > certificates. Why is it "incorrect extension" or almost always a "huge > mistake"? Specifying the issuer's issuer name and serial number in the AKI in a cert means that there is no hope of that cert verifying in the event that its issuer needs to be renewed for any reason. Most people who setup their first CA with OpenSSL don't understand that. They setup an intermediate CA cert with a short lifetime, and they issue certs subordinate to it with AKIs that include the issuer's issuer name and serial number. Then, a year or two later, when their intermediate CA cert expires, they suddenly discover, to their horror, that they must reissue ALL the certs that they formerly issued with that expiring CA cert's serial number in their AKI. In many cases, that means reissuing all the EE certs they've ever issued. That's a complete PKI turnover, and is generally regarded as a failure of the PKI. It's a HUGE mistake on the part of the person(s) who decided to put the issuer's issuer name and serial number into the AKI just because they saw that done in some OpenSSL cookbook page they found on the net. The option in the AKI extension to include the issuer cert's issuer name and serial number is there to deal with the case where the issuer cert is an X.509 v1 cert, and therefore cannot have any SKI extension because it has *NO* extensions. Then intent clear was that an AKI would contain either the issuer's subject key ID (if the issuer cert is an X.509 v3 cert) or the issuer's issuer name and serial (if the issuer cert is X.509 v1). > I think there are three options regarding silent upgrades: > - Key ID allows silent upgrade > - issuer's issuer name and serial number doesn't allow silent upgrade > - Key ID + issuer's issuer name and serial number is equivalent to the > second option. > Am I correct? Yes. > An issue when CA cert expires and its serial number appears in the AKI > of other subordinate certs is a problem of PKI design. Agreed. The appearance of issuer's issuer name and serial number in a cert issued by an issuer cert with a short lifetime is cause for suspicion of bad PKI design. > I don't think it should be solved with this extension. It is CAUSED by misuse of this extension. It is solved by proper use of this extension. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto