Re: [Cfrg] How to issue CRLs after the private key of old root certificate has been destroyed?
"Salz, Rich" <rsalz@akamai.com> Tue, 28 July 2020 12:16 UTC
Return-Path: <rsalz@akamai.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CAAC3A0BC5 for <cfrg@ietfa.amsl.com>; Tue, 28 Jul 2020 05:16:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IIUxz9Lh3YQF for <cfrg@ietfa.amsl.com>; Tue, 28 Jul 2020 05:16:05 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C85AA3A0BBB for <cfrg@irtf.org>; Tue, 28 Jul 2020 05:16:04 -0700 (PDT)
Received: from pps.filterd (m0050093.ppops.net [127.0.0.1]) by m0050093.ppops.net-00190b01. (8.16.0.42/8.16.0.42) with SMTP id 06SCE2OZ019057 for <cfrg@irtf.org>; Tue, 28 Jul 2020 13:16:03 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=yUKnRUPBhx7hipHO52L6I0t11PW9KtlyFsPzZ3GB7go=; b=gOsd45FPbY1iFyO+9ip1ByQe7eRNLRU2axqtP72X7zpctEjQxPdyBxDnTycLcVfzgrIY 2+Q5JGtMHA6H84Ma4Krcdv7jiIyU7QICKw20fg4hNFmco5csmeVSCzMQHc/2KlnwHU58 l3+5p+i95+Bo/UMOP77PhBkE0uT3Apw83VNyNsxTMTtX+YiZeeMjAqmGfNTmpzI/uRJ3 U+uAsPyEj1aVUOPSNrZQ9ckPgwJfyJA0vdSe6+5MF9GuKf8xlDIqupm6wzKuxsks+6+E r2RbbxVLM0Ck2ZrL3NRf2sRgpGefUa3QsseWcr9cV1DwfuD09kFF0UZndRt8sr1sR4uk PQ==
Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19] (may be forged)) by m0050093.ppops.net-00190b01. with ESMTP id 32gc0vyjgw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <cfrg@irtf.org>; Tue, 28 Jul 2020 13:16:03 +0100
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.42/8.16.0.42) with SMTP id 06SC1ATm004133 for <cfrg@irtf.org>; Tue, 28 Jul 2020 08:16:01 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.33]) by prod-mail-ppoint2.akamai.com with ESMTP id 32gg2y3tr3-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for <cfrg@irtf.org>; Tue, 28 Jul 2020 08:16:01 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb4.msg.corp.akamai.com (172.27.123.104) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 28 Jul 2020 08:16:01 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1497.006; Tue, 28 Jul 2020 08:16:00 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Wang Guilin <Wang.Guilin@huawei.com>, "lamps@ietf.org" <lamps@ietf.org>
Thread-Topic: [Cfrg] How to issue CRLs after the private key of old root certificate has been destroyed?
Thread-Index: AQHWZNjaO2G2MAfO80KxQHMPQXJnGA==
Date: Tue, 28 Jul 2020 12:16:00 +0000
Message-ID: <123C83B5-DFCB-4409-80A7-7DFA45056B7F@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.38.20061401
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.41.35]
Content-Type: text/plain; charset="utf-8"
Content-ID: <88E3890B4B2D8B49B0FADA8DCF6D2A5E@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-28_07:2020-07-28, 2020-07-28 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 phishscore=0 spamscore=0 mlxlogscore=999 suspectscore=0 malwarescore=0 bulkscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007280090
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-28_07:2020-07-28, 2020-07-28 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 clxscore=1015 malwarescore=0 bulkscore=0 spamscore=0 mlxscore=0 lowpriorityscore=0 mlxlogscore=999 priorityscore=1501 suspectscore=0 adultscore=0 phishscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2006250000 definitions=main-2007280094
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Fwwi7PIKXKu9EveQ8RLKeX6gKo8>
X-Mailman-Approved-At: Wed, 29 Jul 2020 22:37:12 -0700
Subject: Re: [Cfrg] How to issue CRLs after the private key of old root certificate has been destroyed?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2020 12:16:33 -0000
Moving CFRG to BCC; the LAMPS working group is a better place (it handles 5280 updates) to discuss this. On 7/28/20, 6:22 AM, "Wang Guilin" <Wang.Guilin@huawei.com> wrote: Dear all, I am here to enquire one question about revoking PKI certificates. In practice, to guarantee high security, the validity (say 10 years) of a root certificate private key may be essentially shorter that the validity (say 30 years) of the corresponding public key. After the first 10 years, a new root certificate with a new key pair will be generated, and the old root private may be even destroyed. After that, however, how can we use the new root private key to issue CRLs to revoke certificates previously signed by the old root private key? At first, I thought this is the case of using indirect revocation mechanism discussed in RFC 5280, which may involve the link certificate NewWithOld, which is a certificate for the new root public key signed by the old root private key. However, it seems that indirect revocation only works for different entities. Namely, by using indirect revocation, the certificates issued by A can be revoked by a different entity B. However, in the above case, the old and new root certificates are for the same entity (or owner). So, my real questions is: Can indirect revocation be used in such a scenario? If not, is there any good way to do this, especially if interoperability with TLS, SSL, IPSec etc is required? Thanks a lot in advance, Guilin _______________________________________________ Cfrg mailing list Cfrg@irtf.org https://urldefense.proofpoint.com/v2/url?u=https-3A__www.irtf.org_mailman_listinfo_cfrg&d=DwICAg&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=b8Put5_oFgOXmo6ZgfgkPLBgfZ8vtTBo-eRV9ADE6RQ&s=WFVsSgLHOQk5Z_uA5UFyPS18SCDbL27-UwYopNi9gD4&e=