Yes, this is possible - you can have two different keys for a CA, one to sign certs and another to sign CRLs. And yes, it does work (at least with some of the software out there). However, these are still both the CAs keys. There are also "Indirect CRL"s, which can be produced by one entity saying what is revoked by another entity (a CA). Not sure how much of the software out there supports that. Regards, Ambarish > -----Original Message----- > From: Marc Jadoul [mailto:[EMAIL PROTECTED]] > Sent: Sunday, February 13, 2000 5:03 AM > To: Massimiliano Pala > Cc: [EMAIL PROTECTED]; IETF-PXIX > Subject: Signing CRL with offline CA (was [Fwd: OCSP and CSL]). > > > "Salz, Rich" wrote: > > > > >can CRLs be signed by a certificate that is not the CA certificate > > > > No. > > Ok, but may be there is a solution (that i never tried and it might be > uncompatible with lot of existing software.) : > > If i understand well, you do not want to have your CA keys online for > security reason ? Or more precisely, you do not want to have some key > online, because this key is able to sign certificates which would be > verified by the CA certificate you published ... ? > > But if you generate a second key for your CA, and use this > key ONLY for > signing CRL, you can achieve what you want. > > Of course you need to sign a CA certificate for this new key. This > certificate would be signed by your main (old) CA key, but > you would use > a keyUsage extension with only the crlSign bit set. Thus this > certificate can not be used to verify certificates but can be used to > verify CRLs. > > It would be reasonably safe to have the second CA key online. At least > it is as safe as what you can get with online signing of revocation > status. > > Note that you probably also need the keyid extension also to help > software to find the good CA certificate. > > Let me know if you think it is possible in real life. > > Marc > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
