[caops-wg] Certificate Bridging and the Grid Certificate Profile version 0.21
Reimer Karlsen-Masur, DFN-CERT
karlsen-masur at dfn-cert.de
Wed Mar 28 03:02:28 CDT 2007
Hi,
Mike Helm wrote:
> Scott Rea writes:
>> Using AKI is definitely recommended for Bridging - it makes it easier to
>> discover appropriate paths. The SURA documentation is not advising
>> against this, they are in fact recommending that you do use it - but use
>> the keyid version rather than the dirname version.
>
> I believe we are (or should be) recommending the same thing in the profile;
ACK
> the directory name version usage has led to problems with CA key rollover.
Well if the key of the authority changes the hash variant of the AKI is
changing too.
IMO it was not the key rollover, it was the reissuing of a CA cert with e.g.
an extended lifetime or a different signing hash (md5 towards sha1) which
was easier with the hash AKI. In this case the serial number could be
changed without effect to the evaluation of preexisting certification paths.
The changed CA cert could just be replaced.
--
Beste Gruesse / Kind Regards
Reimer Karlsen-Masur
DFN-PKI FAQ: https://www.pki.dfn.de/faqpki
--
Dipl.-Inform. Reimer Karlsen-Masur (PKI Team), Phone +49 40 808077-615
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7125 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.ogf.org/pipermail/caops-wg/attachments/20070328/4d8e572c/attachment.bin
More information about the caops-wg
mailing list