Re: Offline Root Certificate Server and subordinate CA
From: Paul Adare (padare_at_newsguy.com)
Date: 03/17/05
- Previous message: Steven L Umbach: "Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- In reply to: Steven L Umbach: "Re: Offline Root Certificate Server and subordinate CA"
- Next in thread: Steven L Umbach: "Re: Offline Root Certificate Server and subordinate CA"
- Reply: Steven L Umbach: "Re: Offline Root Certificate Server and subordinate CA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 17 Mar 2005 04:04:20 -0500
In article <O01CfGrKFHA.572@tk2msftngp13.phx.gbl>, in the
microsoft.public.win2000.security news group, Steven L Umbach
<n9rou@nospam-comcast.net> says...
> As
> far as the empty CDP/AIA, that depends on your particular needs for security
> and performance.
The requirement for empty AIA and CRL distribution points for a root CA
has nothing to do with performance nor security. For the AIA, the AIA
location is used to build a certificate chain and the AIA distribution
point in an issued certificate is used to locate the certificate of the
CA that issued that certificate. To find the root CA certificate, all we
need is the AIA location from any certificate issued by the root. The
root is the top level so once we have its certificate, we don't need to
find anymore, therefore no need for an AIA distribution point in it.
As far as having an empty CDP location for the root, RFC 3280 calls for
applications to stop revocation checking one level below a self signed
certificate in the chain. Also, keep in mind that a CRL is a signed
document, so with the root CA you've got a chicken and egg situation. If
you were to revoke the root CA certificate, you then need to use the
revoked certificate to sign the CRL that contains the revocation. :-)
> I have also read where it is recommended in many situations
> to increase the length of CRL life to six months for the offline CA based on
> the assumption that it is secured and the likelyhood that it would ever have
> it's certificate revoked is extremely unlikely.
Now you're confusing the CRL that a root CA issues (which would only
ever contain certificates that it issued) with a theoretical CRL that
would contain its own certificate.
-- Paul Adare "On two occasions, I have been asked [by members of Parliament], 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able to rightly apprehend the kind of confusion of ideas that could provoke such a question." -- Charles Babbage (1791-1871)
- Previous message: Steven L Umbach: "Re: Event ID 538 Logon Type 3 NT AUTHORITY/ANONYMOUS LOGON"
- In reply to: Steven L Umbach: "Re: Offline Root Certificate Server and subordinate CA"
- Next in thread: Steven L Umbach: "Re: Offline Root Certificate Server and subordinate CA"
- Reply: Steven L Umbach: "Re: Offline Root Certificate Server and subordinate CA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
