Hi Stephen, *,
Burke, S (Stephen) wrote:
> ...
> I also notice in passing that a couple more CAs have CRL expiry dates
> in 2006, and three more are July, September and December 2005, all of
> which are rather long. Issuers are:
The CAs below are rather special, since they do not issue certificates
to end-entities, but to other CAs only. There CAs have very special access
procedures to access the key, and generating a CRL every month is
practically impossible. For example, to get to the ESnet Root CA 1 key,
you need the physical presence of three people, one of whom need to
be flown in from a remove site, and the amount of auditing to be performed
takes over a day :-)
Similar procedures apply for the top-level CNRS CAs &c.
The only exception is the GridCanada CA. For the GridCanada CA I'll check
back the the CA manager, as the validity period indeed violates the CP/CPS
currently in force.
All client software will (and should) honour the longer NextUpdate fields though.
> /DC=gov/DC=fnal/O=Fermilab/OU=Certificate Authorities/CN=Top-Level CA
> /C=FR/O=CNRS/CN=CNRS-Projets
> /C=CA/O=Grid/CN=Grid Canada CA
> /C=FR/O=CNRS/CN=CNRS
> /DC=net/DC=ES/O=ESnet/OU=Certificate Authorities/CN=ESnet Root CA 1
Cheers,
DavidG.
PS: For Joe: the only thing I can think of to check is the system time/date
on the cmslcgce.fnal.gov machine, since also remote attempts using
non-DoEGrids client certs fail...
|