Rich Salz <[EMAIL PROTECTED]>:
>> OpenSSL currently thinks that the DN can be used as a primary key for
>> certificates
> Yeah, that's way too simple-minded.
>> One first step to make things right is to use the DN
>> plus any key identifier that may be available
> The nice thing about key (and/or cert) identifiers is that there's so many
> to choose from. To steal a phrase. :)
Well, the authorityKeyIdentifier (consisting presumably just of a
KeyIdentifier) would have to match the issuer's subjectKeyIdentifier;
why would we care how that has been computed?
>> Possibly it makes sense to stop searches at
>> the first matching certificate that is valid according to the system
>> clock
> That won't work. It's common practice to issue certs with overlapping
> validity periods. And if the key is on tamper-evident hardware, there's
> no reason not to recertify the same keypair.
Sure, I had such things in mind. The idea is that if we find a CA
certificate with proper DN and key identifier and this certificate is
currently valid, then we can use it for checking certificate issued by
that CA with that key. If there are two or more valid certificates
with the same DN and key identifier, then it usually won't make a
difference which one we pick. If it *does* make a difference while
checking the validity of an end-entity certificate -- i.e. if more has
been changed than the validity period --, then I wouldn't call it a
"re-issued" certificate.
> The only really valid search key is <subject,issuer,serial>
Valid for which purpose? If we know the issuer and serial number of a
ceritificate, the we don't need its subject to search for that
certificate. What I'm talking about is certificate validation, where
we get a certificate chain minus the root certificate and have to try
to complete this chain so that we can verify it. The topmost
certificate we get in the truncated chain reveals the issuers DN and
possibly also a key identifier, but usually not the
authorityCertIssuer and authorityCertSerialNumber. While these would
make for an excellent search key, their presence doesn't make a lot of
sense in an environment where where we want to re-issue certificates:
A CA that renews its own self-signed certificate would have to
re-issue all other certificates it signed if those are to remain valid
with the new CA cert, because the authorityCertSerialNumber must be
updated to point to the new CA certificate. And if all certificate
subjects need new certificates, then why re-issue the certificate in
the first place? You could just as well create an entirely new one
then, i.e. one where the "DN plus optional key identifier" search key
has changed.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
