On 4/21/05, Kyle Hamilton <[EMAIL PROTECTED]> wrote: > I'm confused about the role of the petname tool in a situation where a > site's private key changes -- for example, the key has passed its > useful lifetime, has been compromised and changed, etc?
The petname binding continues to be valid. The petname tool stores a binding of: ( CA public key hash, End entity organization name ) to petname. The combination of the CA public key and the O field in the site's certificate is treated as a unique identifier for the entity. When the end entity certificate expires, the petname binding will be unaffected, so long as the new certificate is issued by the same CA certificate and specifies the same value for the O field. Note that the only semantics given to the O field is that the particular CA does not issue certificates to separate entities using the same O field value. The actual value of the O field is irrelevant and there is no uniqueness requirement across CAs. I used the O field instead of the CN field, because some large sites have multiple certificates, each with a different CN value. The petname is meant to identify the entity you are conversing with, not some implementation artifact, such as a particular server. Tyler -- The web-calculus is the union of REST and capability-based security: http://www.waterken.com/dev/Web/ _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
