Hi John,
> As I understood it a Renew MUST change the serial number, but doesn't
>need to change the dates.
Yes, I am sure this is also allowed, but the most usual reason for a
"renewal" is at end of life of the previous certificate. In that case the
dates in the renewed certificate will be different. But the UK does not
do this anyway. We always re-key.
Dave
------------------------------------------------
Dr David Kelsey
Particle Physics Department
Rutherford Appleton Laboratory
Chilton, DIDCOT, OX11 0QX, UK
e-mail: [log in to unmask]
Tel: [+44](0)1235 445746 (direct)
Fax: [+44](0)1235 446733
------------------------------------------------
On 09/04/2014 12:12, "John Kewley" <[log in to unmask]> wrote:
>> -----Original Message-----
>> From: Dave Kelsey [mailto:[log in to unmask]]
>> Sent: Wednesday, April 09, 2014 11:12 AM
>> To: [log in to unmask]
>> Subject: Re: I'll test this out:
>>https://www.gridpp.ac.uk/wiki/Grid_Certificate
>>
>> On the meaning of the word "renewal".
>>
>> According to RFC3647 renewal is defined as follows:
>>
>> "Certificate renewal means the issuance of a
>> new certificate to the subscriber without changing the subscriber or
>> other participant's public key or any other information in the
>> Certificate."
>>
>> I should add that renewal does change the valid to/from dates and the
>>serial
>> number.
>
>As I understood it a Renew MUST change the serial number, but doesn't
>need to change
>the dates. For instance - re-signing with a different CA Cert, or with a
>different hash algorithm.
>Is this correct or would it need to rekey for that?
>
>> When the UK vert wizard says "renew" its should really say "rekey".
>
>Agreed - "careless talk costs lives" and "we" are often carelessly use
>the words Renew when we mean Rekey
>
>Having said that *most* of the time, *most* of our users don't need to
>worry about the distinction so it
>keeps things simpler in general (but not in this case)
>
>Cheers
>
>JK
>--
>Scanned by iCritical.
--
Scanned by iCritical.
|