Re: [openssl-users] RE: Revocation with a renewed/rekeyed Root CA

Mon, 17 Oct 2011 06:48:54 -0700 

Le 17/10/2011 14:34, Eisenacher, Patrick a écrit :

Hi Erwann,


-----Original Message-----
From: Erwann Abalea

Bonjour,

While testing Apache-trunk (which will become apache 2.3.15),
including
the patch to use OpenSSL CRL validation, I've come to
disagree with what
OpenSSL does.

My scheme is:
   - CA1 is a root (trust anchor), which is now in its first
generation
(lets call it CA1g1)
   - U1, U2, U3 are end-user certificates, issued by CA1
   - U1 is revoked, and the CRL is published (lets call it CRLg1)

you can't revoke a root CA by the means of a CRL. This works only out-of-band, 
i.e. you have to declare that the root CA in question is revoked and spread the 
news to all your customers.


I know that I can't revoke a root, and I didn't try to do that.
Maybe my phrasing wasn't clear enough?


The problem here is that you can't trust a CRL when its signature key is 
compromised.

The X.509 2008 edition category b) concept that you cite is new to me and 
according to my understanding of PKI this doesn't make sense, because there is 
no trust relationship between any self signed keys, so I can't trust that key 2 
has any relationship to key 1, specially not to issue its CRLs.
In fact, the same paragraph exists in the 2005 edition of X.509. This paragraph was shorter in the 2000 edition. The idea here is that a CA is a name, not a key. You have the same principle for intermediate CAs, i.e. when you renew an intermediate CA, the CRL produced by the new private key encloses all the certificates: the ones generated before the renewal as long as the ones generated after the renewal. 

--
Erwann ABALEA
-----
j'ai entendu dire qu'une société allait commercialiser des logiciels
permettant de ne pas télécharger les pubs et je vous trouvre cela
inadmissible. Les sites seront mis tout nu et cela ridiculisera le site.
-+- BL in: Guide du Neuneu d'Usenet - A poil, tout le monde a poil -+-

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to