alexandru matei wrote:
>
> Until now I can't see what happens when the CA certificate expires or
> have to be changed (due to key compromise). What happens with old user
> certificates in those cases( there are two cases: expired and
> compromised root CA key)?
The case you are writing about is quite complex, in general when a key
is compromised there is no way to establish what has been signed while
the key was secure and what has been signed after the key has been
compromised.
If you cannot state for certain the certificate has been issued by
the "original" (let's say so) CA you have to consider user certificates
compromised as well (because who has the secret CA key could have issued
"false" certificates -- so the trust link is broken).
If the CA certificate is simply expired you have 2 options:
1. Apply for a new certificate for the same key-pair
2. Generate a new key-pair and apply for a certificate to
the up-level CA
keep in mind that users' certificate expiration date should not exceed the
CA's one.
The cases could be more than the one here exposed and be quite complex
to analyze, keep in mind, however, that if a key is compromised you can
not trust its usage unless there are other tools (Timestamping, etc...)
or means of verification (optical archiviation BEFORE key compromise,
however it is very difficult to determine when a key has been
compromised...).
If you have further question I suggest you to read some of the RFCs by
the IETF (pkix-wg).
--
C'you,
Massimiliano Pala
--o-------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] madwolf at cpan.org
madwolf at openca.org
http://www.openca.org madwolf at hackmasters.net
http://openca.sourceforge.net Mobile: +39 (0)347 7222 365
_______________________________________________
OpenCA-Devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-devel
