Re: Root CA CRLs


In article <m3d58gjn3l.fsf@xxxxxxxxxxxxxxxxxxx>, lynn@xxxxxxxxxx says...
Seeker <newsgroups@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> writes:
I'm setting up a two-tier PKI hierarchy. The root will be offline and
will sign the issuing CA certificate. What is the best-practice for the
root Certificate Revocation List and revoking the root certificate?

Should I immediately revoke the root certificate after creating the
issuing CA and store it in a secure location in case the passphrase is lost?

Should I create a certificate revocation list from the root or only on
the issuing CA? I certainly don't want to have to retrieve the root
authority to update the list, but will the clients handle this OK if the
root public key is in the browser but the issuing CA revokes
certificates and publishes the list? I would think so, since the chain
should be intact.

scrap PKIs, certification authorities, and certificate revocation list
... and migrate to real-time, online infrastructure.

the original kerberos pk-init ... misc. past posts

started out with a certificateless public key infrastructure ... the
registration authority (which is common to lots of business processes)
just registered the public key in lieu of a password ... w/o having to
issue a certificate ... misc. past posts

so entities can connect/login just thru kerberos digital signature
authentication protocol ... where the digital signature is directly
verified by doing real-time access to the registered public key.

note there was also a similar certificateless done for radius ...
again, w/o having to resort to any of the PKI, certification
authority, and/or certificate revocation list stuff.

for the SSL, server authentication/encryption scenario ... misc.
past posts

the scenario involved registering public keys with the domain name
infrastructure ... and doing real-time retrieval of public keys as
part of the existing domain name infrastructure protocols (even
piggyback in existing transmission).

the issue here was that the PKI/CA business operations were already
somewhat advocating registration of public keys with the domain name
infrastructure ... as a countermeasure to some integrity issues that
the SSL domain name certificate operations have ... aka as part of a
ceritification authority certifying a SSL domain name certificate
operations ... they have to validate that they are dealing with the

Relevant Pages

  • Re: Help spread strong cryptography now!
    ... some secret to your email address and verify that you can receive it. ... same security level as class 1 certificate. ... that public key belongs to the person it claims to belong to. ... Only the public key is sent to the server for issuing certificates. ...
  • Re: Windows 2003 sbs : multiple webs & SSL
    ... By installing the root certificate on the client ... Plus It's kind of cool to allow your users to install the root certificate ... Microsoft ISA Server. ...
  • Re: Manually editing trusted root CA list in Thunderbird and Firefox
    ... I'd even like to go so far to have separate root ca lists for Firefox ... certificate store management (other than the Mozilla internally managed ... version of the certificate store relevant only to your profile. ... ca-certificates is actually about the root certificate store for the OS ...
  • Re: Windows 2003 sbs : multiple webs & SSL
    ... should first catch up with my reading on the server before doing anything. ... By installing the root certificate on the client ... locate the root certificate file. ...
  • Re: Event ID 12 "Successful auto delete of third-party root certif
    ... As indicated in the original post, the example event log was from Vista ... is a the certificate auto delete. ... user must add manually to the Trusted Root Certificate ... Disabling URC is again a UAC level function accomplished either in Group ...