I think you can cobble something using PeCR scripts or insert PKCS10 into OpenCA (but not our new portal - we know we can permit
it but won't release that code unless users request it) BUT we only sign them for 1 year.
There certainly are other variants for user certs. I think some can renew for up to 3 and then have to rekey. Others have to see their RA every 5 years
whereas we only have to see the RA up front.
Robot certs I think we might do for 3 years, but I think they are h/w backed and they are hand-signed by Jens and bypass some of the usual
mechanisms. I say "think" since all this is done behind closed doors by Jens.
JK
> -----Original Message-----
> From: Dave Kelsey [mailto:[log in to unmask]]
> Sent: Wednesday, April 09, 2014 1:30 PM
> To: [log in to unmask]
> Subject: Re: I'll test this out: https://www.gridpp.ac.uk/wiki/Grid_Certificate
>
> Oh and by the way, there are different rules for private keys held on
> hardware tokens.
>
> The Classic Authentication profile (V4.3) from IGTF says:
>
> "A certificate whose private key is managed in a software-based token
> should only be re-keyed, not renewed. Certificates associated with a private
> key restricted solely to a hardware token may be renewed for a period of up
> to 5 years (for equivalent RSA key lengths of
> 2048 bits) or 3 years (for
> equivalent RSA key lengths of 1024 bits).
> Certifications must not be renewed or re-keyed for more than 5 years
> without a form of auditable identity and eligibility verification, and this
> procedure must be described in the CP/CPS."
>
> So, if anyone has host certificates on hardware tokens (perhaps there are
> none?), in this case it will be necessary to re-key. I imagine the certificate
> wizard does not cater for hardware tokens (I haven't checked).
>
> Regards
>
> Dave
>
>
>
>
> ------------------------------------------------
> Dr David Kelsey
> Particle Physics Department
> Rutherford Appleton Laboratory
> Chilton, DIDCOT, OX11 0QX, UK
>
> e-mail: [log in to unmask]
> Tel: [+44](0)1235 445746 (direct)
> Fax: [+44](0)1235 446733
> ------------------------------------------------
>
>
>
>
>
>
> On 09/04/2014 12:12, "John Kewley" <[log in to unmask]> wrote:
>
> >> -----Original Message-----
> >> From: Dave Kelsey [mailto:[log in to unmask]]
> >> Sent: Wednesday, April 09, 2014 11:12 AM
> >> To: [log in to unmask]
> >> Subject: Re: I'll test this out:
> >>https://www.gridpp.ac.uk/wiki/Grid_Certificate
> >>
> >> On the meaning of the word "renewal".
> >>
> >> According to RFC3647 renewal is defined as follows:
> >>
> >> "Certificate renewal means the issuance of a
> >> new certificate to the subscriber without changing the subscriber or
> >> other participant's public key or any other information in the
> >> Certificate."
> >>
> >> I should add that renewal does change the valid to/from dates and the
> >>serial number.
> >
> >As I understood it a Renew MUST change the serial number, but doesn't
> >need to change the dates. For instance - re-signing with a different CA
> >Cert, or with a different hash algorithm.
> >Is this correct or would it need to rekey for that?
> >
> >> When the UK vert wizard says "renew" its should really say "rekey".
> >
> >Agreed - "careless talk costs lives" and "we" are often carelessly use
> >the words Renew when we mean Rekey
> >
> >Having said that *most* of the time, *most* of our users don't need to
> >worry about the distinction so it keeps things simpler in general (but
> >not in this case)
> >
> >Cheers
> >
> >JK
> >--
> >Scanned by iCritical.
>
> --
> Scanned by iCritical.
--
Scanned by iCritical.
|