Anders Rundgren wrote: > In a recent project there were a requirement for frequent and *automated* > renewals of certificates. The renewal procedure is based on creating > a self-signed request which is then signed by the original key. > > It appears that the new key cannot (for a *remote* CA) be guaranteed to > have been created and residing in the HSM which means that even if you > use a rigorous "key ceremony" for the initial key you will almost be > down at the "soft token" level after the very first renewal :-) > > Comments?
Not much to say.. If a subject is allowed to sign a new key, and the issuing CA will trust that signature and automatically "bless" it, then this can not really be avoided. Think of it as privilege escalation by CA. After one signature only the original key is signed by the CA. But because the CA will also sign other keys on demand, as long as they have been signed with some previously signed key, then in fact the CA is not the trust authority anymore, but that power has been delegated out to every key holder. //Peter _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
