Re: [lamps] rollover of CA

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 03 September 2021 18:01 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51E8C3A2724 for <spasm@ietfa.amsl.com>; Fri, 3 Sep 2021 11:01:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j9vsGvsuPfPw for <spasm@ietfa.amsl.com>; Fri, 3 Sep 2021 11:01:11 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBE433A2725 for <spasm@ietf.org>; Fri, 3 Sep 2021 11:01:10 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 755F539585; Fri, 3 Sep 2021 14:07:12 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id tIkEd2pJG0UQ; Fri, 3 Sep 2021 14:07:07 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 3142A39565; Fri, 3 Sep 2021 14:07:07 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id BDA41AC; Fri, 3 Sep 2021 14:01:00 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Deb Cooley <debcooley1@gmail.com>, SPASM <spasm@ietf.org>
In-Reply-To: <CAGgd1Odk-xVmYb8-i-1pCv-n=oeFCnjt-xsCC9mqvGowaLpeZg@mail.gmail.com>
References: <17240.1630591789@localhost> <CAErg=HH9o8wXgo9RS0GDrn6ZgL7TD3TF25PiUNW7XePML7252w@mail.gmail.com> <CAGgd1Odk-xVmYb8-i-1pCv-n=oeFCnjt-xsCC9mqvGowaLpeZg@mail.gmail.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Date: Fri, 03 Sep 2021 14:01:00 -0400
Message-ID: <16957.1630692060@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/67dRaCwxg2rM00D4w4g8SPJj8YM>
Subject: Re: [lamps] rollover of CA
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Sep 2021 18:01:17 -0000

Deb Cooley <debcooley1@gmail.com> wrote:
    > What exactly are you interested in?

Ryan got it exactly.
This is about rollover of CAs in IoT systems.
These aren't public today, but it needs to rekey, not-re-enroll.
There is a fair bit of concern out there about

    > over.  We stand up new Roots and new subCAs.  In general, we don't name
    > them the same.  When a new Root or sub CA is stood up, we make an
    > announcement to the community and there is an app that makes it easier
    > to do the trust store management. US Fed PKI just stood up a new Root
    > CA for their Common Policy Root CA - same thing, different name,
    > different keys, different dates, and (I think) different key sizes.

So, by "don't name them the same", you mean, the new one is "Federal Super
Issuer 2021" vs "Federal Super Issuer 2011"?


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide