Re: [Openca-Users] CRL Issuer or Revocation Authority

Sat, 08 Sep 2007 17:55:55 -0700 

This is allowed.
A CA can delegate the issuing of CRLs to another entity by issuing a certificate with the cRLSign certificate usage extension and including that entities DN as a cRLIssuer in the cRLDistributionPoints extension of all certificates issued by that CA. 


This allows, among other things, for a CA to remain inactive,  
possibly secured in a safe, while the cRLIssuer issues regular CRLs.  
For a Root CA which only signs a few Sub-CA certificates every 10-20  
years, this allows frequent CRLs to be issued without the Root CA  
private key being exposed.


This is just the scenario I was wondering if OpenCA supported.

JZ

On 08/09/2007, at 11:28 PM, Diego de Felice wrote:


 I think this is not so correct. When you verify the validity of an
X509 certificate, you download the CRL specified in the CDP extension
and you must verify that the CRL is signed by the same CA certificate
that issued the certificate (through the authorityKeyIndentifier
extension). If you sign the CRL with another key, this ckeck will fail
in third party software.

Of course you can force this in OpenCA by modifying the Perl code :-)


On 9/8/07, John Zornig <[EMAIL PROTECTED]> wrote:

Is it possible in Open CA  to configure a CRL Issuer or Revocation  
Authority

which can be online and issuing regular CRLs for an offline CA?


i.e. the CRLs would be signed by a CRL Issuer key rather than the  
CA key.


I can't find any mention of this in the doco.



John Zornig
Specialist Systems Analyst
Australian Access Federation

Strategic Technologies Group
Information Technology Services (ITS)
The University of Queensland
Brisbane Qld, 4072

Ph: +61 7 336 54288
Mob: +61 434 351 532
[EMAIL PROTECTED]
http://www.uq.edu.au/~uqjzorni/




-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users






















					Reply via email to