This was (key word being "was") originally a requirement by Identrus (a financial community of trust) however this brought many strange problems and most vendors products (both CAs and chaining implementations) did not support this well if at all. As such Identrus made it an "option" not a requirement; the only commercial CA I know of that supports this is the Baltimore UniCert stuff.
I also vaguely remember that son of RFC2459 added some text to explicitly deal with this scenario. If I remember correctly (and this would not be the first time my memory failed me) they said that their profiles (2459) would not support this. Ryan -----Original Message----- From: Harald Koch [mailto:[EMAIL PROTECTED]] Sent: Sunday, October 07, 2001 7:16 AM To: [EMAIL PROTECTED] Subject: Re: separate CA certs for certificates and CRLs On Sat, 6 Oct 2001, Dr S N Henson wrote: > I've been meaning to look through the pkix CRL stuff to see how this lot > works in practice. The last time I looked I wasn't sure what (if > anything) restricted the CRL signing certificates path when compared to > the CA certificate. I'm not quite sure either, to be honest, which is why I don't like the separate certificates approach. On the other hand, I'm told that the financial institutions, for whatever reason, *like* having separate certs (presumably so that different people can be given access to different private keys). > For example if you trust two root CAs A and B you > don't want B to be able to sign CRLs for A without some authorisation > from A (e.g. a CRL signing certificate chaining to A). In my particular case, we have Root CA certificates that have the same identification (i.e. "cn=Harald's Bait Shop and CA"), but different keys and different keyUsage fields, a slightly simpler case I think. I'm told that this is a "standard feature" of one of the popular PKI products out there. I too will have to think about this some more, I guess. :-) -- Harald Koch <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
