>From the new PKIX part1 (draft-ietf-pkix-new-part1-08.txt), section
5.1.1.3:
CAs that are also CRL issuers MAY use one private key to digitally
sign certificates and CRLs, or MAY use separate private keys to
digitally sign certificates and CRLs. When separate private keys are
employed, each of the public keys associated with these private keys
is placed in a separate certificate, one with the keyCertSign bit set
in the key usage extension, and one with the cRLSign bit set in the
key usage extension (section 4.2.1.3). When separate private keys
are employed, certificates issued by the CA contain one authority key
identifier, and the corresponding CRLs contain a different authority
key identifier. The use of separate CA certificates for validation
of certificate signatures and CRL signatures can offer improved
security characteristics; however, it imposes a burden on
applications, and it might limit interoperability. Many applications
construct a certification path, and then validate the certification
path (section 6). CRL checking in turn requires a separate
certification path to be constructed and validated for the CA's CRL
signature validation certificate. Applications that perform CRL
checking MUST support certification path validation when certificates
and CRLs are digitally signed with the same CA private key. These
applications SHOULD support certification path validation when
certificates and CRLs are digitally signed with different CA private
keys.
Any thoughts on how to go about adding support for separate CA
certificates for certs and CRLs to the existing OpenSSL certificate
verifier?
--
Harald Koch <[EMAIL PROTECTED]>
"It takes a child to raze a village."
-Michael T. Fry
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
