"Salz, Rich" wrote:
>
> >can CRLs be signed by a certificate that is not the CA certificate
>
> No.
Ok, but may be there is a solution (that i never tried and it might be
uncompatible with lot of existing software.) :
If i understand well, you do not want to have your CA keys online for
security reason ? Or more precisely, you do not want to have some key
online, because this key is able to sign certificates which would be
verified by the CA certificate you published ... ?
But if you generate a second key for your CA, and use this key ONLY for
signing CRL, you can achieve what you want.
Of course you need to sign a CA certificate for this new key. This
certificate would be signed by your main (old) CA key, but you would use
a keyUsage extension with only the crlSign bit set. Thus this
certificate can not be used to verify certificates but can be used to
verify CRLs.
It would be reasonably safe to have the second CA key online. At least
it is as safe as what you can get with online signing of revocation
status.
Note that you probably also need the keyid extension also to help
software to find the good CA certificate.
Let me know if you think it is possible in real life.
Marc
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
