1 / 8

Discovery of CRL Signer Certificate

Discovery of CRL Signer Certificate. Stefan Santesson Microsoft. Issues. Need mechanism to find the CRL Issuer certificate when it is NOT part of the certification path Two important cases: CA Rekey Indirect CRL. Proposed solution.

inez-robles
Télécharger la présentation

Discovery of CRL Signer Certificate

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Discovery of CRL Signer Certificate Stefan Santesson Microsoft

  2. Issues • Need mechanism to find the CRL Issuer certificate when it is NOT part of the certification path • Two important cases: • CA Rekey • Indirect CRL

  3. Proposed solution • Allow Authority Information Access (AIA) as an optional, non-critical CRL extension • Advantages: • Easy to implement: Reuse of the existing certificate extension that is supported most environments • Effective and simple solution: Allows direct lookup using unambiguous pointer • Allow instant deployment: Works with existing certificates

  4. AIA CDP Case 1: CA Rekey Root Cert TA CA1 Cert CA1 CA2o Cert CA2n Cert CA2 new CA2 old CA2 CRL EE Cert EE (need CA2 new public key to validate)

  5. AIA CDP Case 2: Indirect CRL Root Cert TA CRL Issuer Cert CA1 Cert CRL Issuer CA1 CA2 Cert CRL CA2 (need CRL Issuer public key to validate) EE Cert EE

  6. Solving the problem with SIA • SIA may be used to provide link to the CRLIssuer certificate in some cases • Problems with SIA: • Works ONLY if the CRLIssuer certificate and the target certificate were issued by the same CA • Complex, as SIA points to all certificates issued by the CA • Only supports top-down path building, yet bottom-up is the most common method in implementations • May take years to deploy since critical CA certificates cannot be easily replaced

  7. Related issues • Current definition of AIA does not clearly define storage schemas and media types • Would benefit from minor revision of RFC 3280 description of AIA • Replace CA with authority • Make appropriate changes to attribute type for DAP access • Opportunity to clarify the format of AIA target (certificate or p7 file)

  8. Way forward • Write a draft defining the use of AIA as CRL extension • Limit work to aspects that are specific to use in CRLs • Provide input to update of RFC 3280 regarding generic AIA improvements • The draft does not need these changes but would benefit from them in future

More Related