Upload
inez-robles
View
31
Download
9
Embed Size (px)
DESCRIPTION
Discovery of CRL Signer Certificate. Stefan Santesson Microsoft. Issues. Need mechanism to find the CRL Issuer certificate when it is NOT part of the certification path Two important cases: CA Rekey Indirect CRL. Proposed solution. - PowerPoint PPT Presentation
Citation preview
Discovery of CRL Signer Certificate
Stefan Santesson
Microsoft
Issues
Need mechanism to find the CRL Issuer certificate when it is NOT part of the certification path
Two important cases: CA Rekey Indirect CRL
Proposed solution
Allow Authority Information Access (AIA) as an optional, non-critical CRL extension
Advantages: Easy to implement: Reuse of the existing
certificate extension that is supported most environments
Effective and simple solution: Allows direct lookup using unambiguous pointer
Allow instant deployment: Works with existing certificates
TA
RootCert
CA1
CA1Cert
CA2old
CA2oCert
CA2new
CA2nCert
CA2CRL
EECert
CDP
AIA
Case 1: CA Rekey
EE(need CA2 new public key to validate)
TA
RootCert
CA1
CA1Cert
CA2
CA2Cert
CRLIssuer
CRLIssuerCert
CRL
EECert
CDP
AIA
Case 2: Indirect CRL
EE
(need CRL Issuer public key to validate)
Solving the problem with SIA
SIA may be used to provide link to the CRLIssuer certificate in some cases
Problems with SIA: Works ONLY if the CRLIssuer certificate and the target
certificate were issued by the same CA Complex, as SIA points to all certificates issued by the CA Only supports top-down path building, yet bottom-up is the
most common method in implementations May take years to deploy since critical CA certificates
cannot be easily replaced
Related issues
Current definition of AIA does not clearly define storage schemas and media types
Would benefit from minor revision of RFC 3280 description of AIA Replace CA with authority Make appropriate changes to attribute type for
DAP access Opportunity to clarify the format of AIA target
(certificate or p7 file)
Way forward
Write a draft defining the use of AIA as CRL extension
Limit work to aspects that are specific to use in CRLs
Provide input to update of RFC 3280 regarding generic AIA improvements The draft does not need these changes but would
benefit from them in future