Eygene Ryabinkin schreef:
> Glenn, good day.
>
> Tue, Jun 10, 2008 at 07:28:21PM +1000, Glenn R. Moloney wrote:
>> Can someone enlighten me as to the whether it is necessary for a CA to
>> revoke an existing host certificate when issuing a new cert for that
>> host.
> As I know, there is not requirement in IGFT/EUGridPMA to revoke
> expiring certificates that were already renewed -- two overlapping
> certificates for one entity provide no troubles: they identify the
> same person that can be traced by his DN. Exceptions are the cases
> of compromised/lost key material.
>
> But sure, reality can be different and your CA can have some reasons
> to revoke certificates -- this should be brought to the light and
> discuissed.
>
> I am CC'ing David Groep and Yoshio Tanaka. David, Yoshio, any
> thoughts?
David is on vacation; I'm not nearly as knowledgeable as him on the
topic, but it's our policy to revoke only if the key is compromised (or
if there is proof of misuse). There is no conflict between having
multiple valid certificates for the same DN, although we do expire the
superseded certificates from our on-line records.
Revoking a certificate is a pretty extreme measure; it's like saying
"don't trust this certificate, even though I once signed it."
When certificates expire, so do their revocations. Otherwise the CRLs
would grow indefinitely. So revoking a certificate just before it
expires sounds, well, silly.
But I'm interested to hear more insightful ideas.
Dennis van Dok
--
D.H. van Dok :: Software Engineer :: www.nikhef.nl :: www.vl-e.nl
Phone +31 20 592 50 12 :: http://www.nikhef.nl/~dennisvd/
|