IETF Logo Mail Archive

Re: Online Certificate Revocation Protocol

Tony Bartoletti <azb@llnl.gov> Sat, 09 June 2001 00:08 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id UAA22145 for <pkix-archive@odin.ietf.org>; Fri, 8 Jun 2001 20:08:52 -0400 (EDT)
Received: by above.proper.com (8.9.3/8.9.3) id QAA08256 for ietf-pkix-bks; Fri, 8 Jun 2001 16:34:41 -0700 (PDT)
Received: from smtp-1.llnl.gov (smtp-1.llnl.gov [128.115.250.81]) by above.proper.com (8.9.3/8.9.3) with ESMTP id QAA08248 for <ietf-pkix@imc.org>; Fri, 8 Jun 2001 16:34:35 -0700 (PDT)
Received: from poptop.llnl.gov (localhost [127.0.0.1]) by smtp-1.llnl.gov (8.9.3/8.9.3/LLNL-gateway-1.0) with ESMTP id QAA07092; Fri, 8 Jun 2001 16:34:08 -0700 (PDT)
Received: from catalyst.llnl.gov (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id QAA06096; Fri, 8 Jun 2001 16:34:08 -0700 (PDT)
Message-Id: <4.3.2.7.2.20010608163807.00b15e50@poptop.llnl.gov>
X-Sender: e048786@poptop.llnl.gov
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Fri, 08 Jun 2001 16:41:46 -0700
To: hansenw@ece.ubc.ca
From: Tony Bartoletti <azb@llnl.gov>
Subject: Re: Online Certificate Revocation Protocol
Cc: "Housley, Russ" <rhousley@rsasecurity.com>, pgut001@cs.auckland.ac.nz, ietf-pkix@imc.org
In-Reply-To: <3B2155E7.B9A2E933@home.com>
References: <99201808810990@kahu.cs.auckland.ac.nz> <4.3.2.7.2.20010608142302.00b0ea00@poptop.llnl.gov>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
List-ID: <ietf-pkix.imc.org>

At 03:47 PM 6/8/01 -0700, Hansen Wang wrote:


> > A question:  If one discovers that they have accidently destroyed their
> > private key (and there is no evidence of compromise), are they under any
> > particular obligation to request revocation?  Is there any liability, or
> > other real "downside" to simply getting a new key and keeping mum about the
> > fate of the former key?
>
>Assuming that the entity which lost their private key wanted another
>certificate with a new key pair but wanted the same name. What would
>happen if their were two certificates in existance with the same name?
>Wouldn't the CA not allow this? Or request documentation/proof (maybe
>out-of-band methods) of ownership of the name and then the CA would
>revoke the previous certificate base on the out-of-band proof and issue
>a new one with the same name?
>
>Hansen Wang <hansenw@ece.ubc.ca>


I don't think so.  X.509 supports "key-implies-name".  You are suggesting 
that it also supports "name-implies-key".  I don't believe there is such a 
restriction in general (although a CA may decide per policy).

Is there some specific threat enabled if the key/name relation is many-to-one?

___tony___



Tony Bartoletti 925-422-3881 <azb@llnl.gov>
Information Operations, Warfare and Assurance Center
Lawrence Livermore National Laboratory
Livermore, CA 94551-9900

v2.23.0 | Report a Bug | By Email