https://issues.apache.org/bugzilla/show_bug.cgi?id=45708
--- Comment #11 from Erwann Abalea <[email protected]> 2011-10-10 09:10:35 UTC --- (In reply to comment #10) > Comment on attachment 27749 [details] > patch for mod_ssl in order to support more than one crl issued by different > CAs > with the same subject If the subject is the same, then it's the same CA. A CA can have several certificates, separated by roles, or generation (renewed), but together they form only one CA, not several. Please read X.509 (which can be freely downloaded). A CA is not a certificate, or a key, it's a *name*. > In my company we have a root certification authority with a subCA. > The PKI is based on Microsoft infrastructure (Certificate Service, > Active Directory, etc). > Last month, we have renewed (with new key pair) the subCA since in > 6 months it will expire and now we have to manage two different > CRLs: the first one is issued by the old subCA and the second is > issued by the new subCA. Of course, the subject of the subCA is not > changed. > When we revoke a certificate issued by the old subCA the first CRL is > updated and when we revoke a certificate issued by the new subCA the > related CRL is updated. > I don’t know if it is the right behavior but it sounds reasonable, > however it is the only behavior possible for the Microsoft services. This is not conformant to X.509. The fact that this is the only possible behaviour from the Microsoft PKI doesn't make it valid. In the absence of any critical extension in a CRL stating that this CRL is a partitioned one (the wording used in X.509 is "full scope" CRL), then this CRL provides a revocation status for *all the certificates signed by the issuer*. The AKI extension in the CRL is only a helper to find the correct key to validate the CRL' signature, it's *not* a CRL differenciator. [...] > For that I described before, the usage of authority key identifier and > subject key identifier, during the CRL verification process, can be > helpful. > > So, the idea behind the patch is this: > 1. Get authority key identifier (akid) from the current certificate > 2. Get subject key identifier (skid) from the current certificate So SKID is the key identifier of the end-user certificate, right? > 3. For the CRL verification (first step), look for the CRL with the > CRL issuer equal to certificate subject and CRL akid equal to > certificate skid So you're trying to find a CRL emitted by the issuer, but signed by the end-user key? That's wrong. > 4. For the revocation check (second step), look for the CRL with the > CRL issuer equal to certificate issuer and CRL akid equal to > certificate akid This algorithm won't validate X.509 compliant PKIs, with renewed CAs (read rekeyed if you want). -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
