Re: [lamps] rollover of CA
Deb Cooley <debcooley1@gmail.com> Thu, 02 September 2021 19:38 UTC
Return-Path: <debcooley1@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D02F3A084F for <spasm@ietfa.amsl.com>; Thu, 2 Sep 2021 12:38:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bfWTlnpmume1 for <spasm@ietfa.amsl.com>; Thu, 2 Sep 2021 12:38:26 -0700 (PDT)
Received: from mail-oi1-x22e.google.com (mail-oi1-x22e.google.com [IPv6:2607:f8b0:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10A2A3A0847 for <spasm@ietf.org>; Thu, 2 Sep 2021 12:38:26 -0700 (PDT)
Received: by mail-oi1-x22e.google.com with SMTP id p2so4035832oif.1 for <spasm@ietf.org>; Thu, 02 Sep 2021 12:38:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eI/TxAyeJqaG+Gh2wEU8OmbcKHk3hc9YOJ7uwoe5W+s=; b=ml8KPzPvycLqsINI+a00MV2zzeKyY6pZWSe996nsSfTOBwFDMXG5IwC6ER9uOzD6/C OsBNDwuD547rP8q2kbLJOOd51Csn0oXMWO2xWnQCxodKB466VQkUHqC8wzT1VsEwExXP mDzCwYyA8rtcN3g+yWG/EQuM+RNvSMPtUMdEqWAP0WR88BvdZGLxjMciior3u4xDvAED Cy++cnrQED/nmpjvf9Mx3Ao4vNMFFX0Vm03owhh158abbmEnIXuP/vVNFBo5pXkc3p34 gbEoF0mb0JncvwKvTAaEbjluz4wRMLgyK5jVFNTf6Y/Ab0eOpMLA3NHrf6lGUBFvhdP2 yHFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eI/TxAyeJqaG+Gh2wEU8OmbcKHk3hc9YOJ7uwoe5W+s=; b=Bq34EwDLithLNvWhABaLSxWU/CdHJ+fVCFe5pI1qWff0/lckKVSJjtAP1M6SeceM7U kBs+eJ7qKQT0l2upblUssITabw2RDu31+7YRsuahSNZtYbDI4FLEFJEV0PXvM1R9Lk8G aEnrqwqQ16g7UHQ6c3q+Aqb1qZx49j6dr9W/V0n88pP+N7sJ8UGToIavd360vw7EnnS7 8Bl9XH1Q1vFtC3F0jbzwTngOGk3JBlt6Y2zl3cDzpVNGPo3c3DM5vtYaVUN7GaVR1A4/ pi9PZjC9JAE2kJZPOvkm8IkXmne/RnUd197Cb9gpT76Czbj8kil6m9+l22bglyxs/duw vpIw==
X-Gm-Message-State: AOAM531FxN6xYxgscOzQUudvN8OGVyp0B36G+3Twt6ZiIM7KE3s/J1XJ XAHn8ryj3o0/3cowJnb2Hge63YEHDDewi2H3tx6v5cI=
X-Google-Smtp-Source: ABdhPJz2/+HFtnQlKYtvgB1WcDkyuWSutymvrS9T49/TVD0EnehlQzIpr11ly8w2gmVvAwIGTQs9WYpzTbGA2xYLjIw=
X-Received: by 2002:a05:6808:20aa:: with SMTP id s42mr3505202oiw.37.1630611503735; Thu, 02 Sep 2021 12:38:23 -0700 (PDT)
MIME-Version: 1.0
References: <17240.1630591789@localhost> <CAErg=HH9o8wXgo9RS0GDrn6ZgL7TD3TF25PiUNW7XePML7252w@mail.gmail.com>
In-Reply-To: <CAErg=HH9o8wXgo9RS0GDrn6ZgL7TD3TF25PiUNW7XePML7252w@mail.gmail.com>
From: Deb Cooley <debcooley1@gmail.com>
Date: Thu, 02 Sep 2021 15:38:11 -0400
Message-ID: <CAGgd1Odk-xVmYb8-i-1pCv-n=oeFCnjt-xsCC9mqvGowaLpeZg@mail.gmail.com>
To: Ryan Sleevi <ryan-ietf@sleevi.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, SPASM <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000072675f05cb085399"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/e_rIXHnQad0Qi2snBYsagJvq5XU>
Subject: Re: [lamps] rollover of CA
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Sep 2021 19:38:32 -0000
What exactly are you interested in? Today's CA systems do this in a variety of ways. We (US DOD) have Root CAs, and sub CAs. We don't roll any of that over. We stand up new Roots and new subCAs. In general, we don't name them the same. When a new Root or sub CA is stood up, we make an announcement to the community and there is an app that makes it easier to do the trust store management. US Fed PKI just stood up a new Root CA for their Common Policy Root CA - same thing, different name, different keys, different dates, and (I think) different key sizes. Some CA's will rekey. Name remains the same, key changes, dates change (At least the expiry date). I'm not (personally) familiar with how this is managed. I want to say that Entrust's systems work that way (I could easily be wrong tho). Ryan can tell you more about how the public trust stores manage a Root CA update/rekey/whatever. Deb Cooley decoole@nsa.gov On Thu, Sep 2, 2021 at 11:09 AM Ryan Sleevi <ryan-ietf@sleevi.com> wrote: > I mean, there's https://datatracker.ietf.org/doc/html/rfc4210#section-4.4 > , but that's more or less unsupported, and would strongly recommend against > it: the _key_ rollover creates vast issues with implementations. > > Otherwise, if we're talking about (Subject + SPKI) changes, that's just > normal cross-certification. RFC 4158 is not widely supported in > implementations (particularly open-source software), so care must be taken. > > Other protocols take different approaches (e.g. RFC 6489), tied in to the > overall protocol. > > On Thu, Sep 2, 2021 at 10:10 AM Michael Richardson <mcr+ietf@sandelman.ca> > wrote: > >> >> Hi, sometime in 2021, we had a thread discussing how to rollover a >> certification authority, and the process of signing old CA with new CA. >> I know that I wrote emails about this, but I can't find them >> either in the archives or in my outbox. >> >> I also can't find the RFC which describes this... somewhere in the 2000s? >> >> -- >> Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting >> ) >> Sandelman Software Works Inc, Ottawa and Worldwide >> >> >> >> >> _______________________________________________ >> Spasm mailing list >> Spasm@ietf.org >> https://www.ietf.org/mailman/listinfo/spasm >> > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >
- [lamps] rollover of CA Michael Richardson
- Re: [lamps] rollover of CA Ryan Sleevi
- Re: [lamps] rollover of CA Deb Cooley
- Re: [lamps] rollover of CA Tomas Gustavsson
- Re: [lamps] rollover of CA Brown, Wendy (10421)
- Re: [lamps] rollover of CA Eliot Lear
- Re: [lamps] rollover of CA Michael Richardson
- Re: [lamps] rollover of CA Michael Richardson
- Re: [lamps] rollover of CA Michael Richardson
- [lamps] kinds of trust relationships in IoT netwo… Michael Richardson
- Re: [lamps] rollover of CA Deb Cooley
- Re: [lamps] rollover of CA Tomas Gustavsson