Discovery of CRL Signer Certificate

Stefan Santesson

Microsoft

Issues

Need mechanism to find the CRL Issuer certificate when it is NOT part of the certification path

Two important cases: CA Rekey Indirect CRL

Proposed solution

Allow Authority Information Access (AIA) as an optional, non-critical CRL extension

Advantages: Easy to implement: Reuse of the existing

certificate extension that is supported most environments

Effective and simple solution: Allows direct lookup using unambiguous pointer

Allow instant deployment: Works with existing certificates

TA

RootCert

CA1

CA1Cert

CA2old

CA2oCert

CA2new

CA2nCert

CA2CRL

EECert

CDP

AIA

Case 1: CA Rekey

EE(need CA2 new public key to validate)

TA

RootCert

CA1

CA1Cert

CA2

CA2Cert

CRLIssuer

CRLIssuerCert

CRL

EECert

CDP

AIA

Case 2: Indirect CRL

EE

(need CRL Issuer public key to validate)

Solving the problem with SIA

SIA may be used to provide link to the CRLIssuer certificate in some cases

Problems with SIA: Works ONLY if the CRLIssuer certificate and the target

certificate were issued by the same CA Complex, as SIA points to all certificates issued by the CA Only supports top-down path building, yet bottom-up is the

most common method in implementations May take years to deploy since critical CA certificates

cannot be easily replaced

Related issues

Current definition of AIA does not clearly define storage schemas and media types

Would benefit from minor revision of RFC 3280 description of AIA Replace CA with authority Make appropriate changes to attribute type for

DAP access Opportunity to clarify the format of AIA target

(certificate or p7 file)

Way forward

Write a draft defining the use of AIA as CRL extension

Limit work to aspects that are specific to use in CRLs

Provide input to update of RFC 3280 regarding generic AIA improvements The draft does not need these changes but would

benefit from them in future