On 2021-03-20 18:32, Michael Richardson wrote:
Tomas Gustavsson <tomas.gustavsson=40primekey....@dmarc.ietf.org> wrote:
>>> It's common in eID/ePassport, such as ICAO 9303, to sign "new with
>>> old". That way, if trusting the old trust anchor, you can automatically
>>> trust the new. The other way (old-with-new) I have not seen any use of
>>> in practice.
>> The old-with-new and new-with-old practice is described in RFC 2510.
I wandered through the document, it does not have a ToC.
I think section 2.4 _Root CA key update_ ?
The terminology OldWithNew explained in 2.4.1 but not directly.
In RFC2510, it doesn't matter, since we do all four combinations.
> I know that. I'm merely pointing out that I have not seen anyone
actually use
> new-with-old in real life. I put a question to the list some time ago
(during
> CMP update discussion) and no-one (that answered) remembered ever seeing
it
> in real use.
I see.
> Old-with-new is fairly trivial, both technically and
> organizationally. New-with-old puts completely different requirements on
a CA
> rollover procedure, for in most cases no reason. Anything new designed I
> would rather see analyze the usage and need instead of simply copying the
> notation from RFC2510.
Let me expand the terms:
old-with-new -> old public key signed with new anchor
new-with-old -> new public key signed with old anchor
Hah, I managed to trip myself up, that was funny :-)
I meant of course that new-with-old is what I see used extensively in
practice (ICAO 9303 being one example), while I have not seen
old-with-new in practice.
(new-with-new is always created of course, as self-signed Root CA
certificate)
Cheers,
Tomas
_______________________________________________
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima
