Regarding the expiry of the old (2007) CA, I have created an extended
version of the CA certificate which will go out in the IGTF release
(probably 1.50 or thereabouts) scheduled for the end of this month.
The problem is that the window between the expiry of the last
certificate signed by the CA to the expiry of the CA certificate itself
- which is six days or something of that order - is insufficient to
remove the CA certificate from IGTF and have the removal release rolled
out. Which is normally not a problem, except for the misdesigned tests
which raise alerts against sites that have "invalid" CRLs. And with an
expired CA certificate, the CRL signature will appear invalid. Even if
there are no longer any valid certificates signed by the CA.
At the end of Sept., (a) sites should automatically get the extended
cert which replaces the old one, via the usual channels, (b) everyone
who has a valid cert should have been prodded anyway, to renew it under
the "2B" CA as usual, as part of normal processes.
The upshot is that no certificate owner or site will need to do anything
unusual or strange, and sites will get an extended lifetime certificate
which will keep the CRL signature checking happy for long enough for us
to remove the CA certificate via the proper IGTF channels. The cert is
valid till 23:59:59 on 31 March 2013, but we will remove it from IGTF in
December or something.
The only way for a site to shoot itself in the foot is for them to not
install the IGTF release for about a month or so, in which case they
rightly deserve any alarm they get. We can monitor those, btw, by
watching their CRL downloads of the old CRL (clever, eh?) If they also
don't download CRLs, then they doubly deserve their alarms.
I hope this is clear - incidentally, I have taken steps to update the
best practices for IGTF CAs; previously they just said that all end
entity certs should expire within the lifetime of the CA cert that
signed them, and now they need to say something more elaborate, to
accommodate these slightly bizarre tests. Quite a few CAs have recently
extended the lifetime of their CA certificates instead of rolling over,
but the ones that hadn't have been bitten by this problem (if a problem
can bite) - of course _we_ will now avoid this with the temporary
extension. We deployed the 2A and 2B certificates yesteryear instead of
extending the lifetime of the 2007 certificate, because we need to
refresh the CA key to improve the resilience and minimise the risk of
loss of key (the 2007 key is running on old signing hardware which,
although backed up, and more recent hardware can emulate the old stuff,
I'd prefer not to go that way because it doesn't work quite as well as
it should.)
Rightyho. So in short, don't worry, keep calm, and carry on. Any
questions, let me know.
Thanks
--jens
--
Scanned by iCritical.
|