Ben, Thank you for starting this thread. This is a MUCH better place than in bugzilla for such a discussion to take place.
> A possible solution (already posted in comment 18 in the bug): I encourage people to read through that bug, especially the early comments, before contributing here. (The later comments are mostly "me too") > * Require website owners to continue using the same private key. This flies in the face of best current practices. > * A fingerprint of that private key is put in the certificate. Such a fingerprint already exists in the cert. It is the public key. > * After expiry of the cert (even now, only the cert expires, not the > private key), the web site owner requests another cert from the > CA, which certifies the same private key for another year, with a > new certificate. Certs expire for the same reason that credit cards do. Do you understand why that is? > * We see that the private key stayed the same, and we're happy - > it's the same party. We can implement "KCM". > * Revocation in case of key loss via CRL or OSCP is still possible. It requires that CAs NEVER "forget" about any certs they previously issued, not even after they expire. It means that a CA's list of revoked certs will grow boundlessly. It makes CRLs become impractically big. CACert tried that once. They had a multi-megabyte CRL (maybe they still do). > * If, for some reason - be it key stolen, cryptographic weakness, or > that the admin prefers to generate a new private key all the time > - the private key changes, the public cert *must* also be signed > by the old private key, in addition to the CA. Certs do not have multiple signatures. > This is what GPG > does, too. This shows us that the new key is authorized by the old > owner, so continuity is maintained. So, after a key is compromised, it remains desirable that replacement keys are authorized by a signature made with the compromised key? > The only problem is if the admin is ignorant of this new scheme and does > not sign the new cert or the private key is lost insofar as the admin > cannot find it anymore. This is a separate discussion, see thread opener. > > Is it technically possible for a cert to have two or more signatures? No. X.509 certificates do not have multiple signatures. > (I think it is - if I'm not mistaken, a cert can also have both MD5 and > SHA2 signatures.) You are mistaken. > If not, can it be added by extensions? No, because the content of all extensions are included in the computation of the signature. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
