Re: [Openca-Users] CRL Issuer or Revocation Authority

Wed, 12 Sep 2007 10:28:04 -0700 

Hi,

Actually as Scott says, it is a perfectly allowed scenario. However, check
that the client software supports it - although new versions of software
could support CRLs issued by the revocation authority, older may not
accept those CRLs.

Coming to OpenCA, actually you'd have to patch it because CRL issuing is
only supported at CAs, not RAs (which are the ones that are usually online).
We'll add that to the TODO list for next version(s), expecially for
OpenCA-NG.

Later,
Max


Scott Rea wrote:
Generically speaking this IS an allowed configuration according to the RFC - and it is recommended that the CRL signer be issued off the CA for which it is signing CRLs. But whether OpenCA supports this, I will leave that to the experts... 
-Scott

Diego de Felice wrote:

 I think this is not so correct. When you verify the validity of an
X509 certificate, you download the CRL specified in the CDP extension
and you must verify that the CRL is signed by the same CA certificate
that issued the certificate (through the authorityKeyIndentifier
extension). If you sign the CRL with another key, this ckeck will fail
in third party software.

Of course you can force this in OpenCA by modifying the Perl code :-)


On 9/8/07, John Zornig <[EMAIL PROTECTED]> wrote:

Is it possible in Open CA  to configure a CRL Issuer or Revocation Authority
which can be online and issuing regular CRLs for an offline CA?

i.e. the CRLs would be signed by a CRL Issuer key rather than the CA key.

I can't find any mention of this in the doco.






--

Best Regards,

        Massimiliano Pala

--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager]            [EMAIL PROTECTED]
                                                 [EMAIL PROTECTED]

Dartmouth Computer Science Dept               Home Phone: +1 (603) 397-3883
PKI/Trust - Office 063                        Work Phone: +1 (603) 646-9179
--o------------------------------------------------------------------------

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to