Protocol for renewing CA certs
mrsam at courier-mta.com
Sun Sep 25 20:52:24 CEST 2011
Nikos Mavrogiannopoulos writes:
> On 09/24/2011 05:14 PM, Sam Varshavchik wrote:
>> A logistical question occured to me, while I was browsing through the
>> code that verifies certificates.
>> _gnutls_verify_certificate2() locates a certificate's signing CA by
>> invoking find_issuer(), which searches the list of trusted CAs. The
>> search simply compares each CA's entire DN against the certificate's
>> issuer's DN.
>> Once a matching DN is found, _gnutls_verify_certificate2() tries that CA
>> cert, and if it doesn't work it does not look for any other DNs that match.
> In gnutls 3.0.x _gnutls_verify_certificate2() will only check against the
> latest valid issuer. Check the find_issuer() function in the same file.
I'll look it up, but I'm also trying to work this out in my head. It seems
to me that it shouldn't be merely the latest valid issuer, but rather a
strict match against the activation and expiration time range, so that a
certificate should get checked against a CA cert whose activation/expiration
time includes the certificate's expiration time. That's because new CA certs
must be distributed in advance of the expiration of existing CA certs, so
there would be a transition period where both certs are placed in trusted
chains, and existing certs won't validate, of course, against the new cert.
Additionally, for this to work, I think that the CAs must generate new certs
whose activation time is specified to be exactly the expiration time of the
expiring cert, and continue to sign certificates with the expiring cert up
until it actually expires, then immediately switch to the new cert.
I don't know if this is exactly what the CAs do, or whether they activate
new CA certs in advance of the existing CA cert's expiration, and sign new
certs using the new CA cert. If they do that, then it seems to me that even
the logic of using just the latest CA cert wouldn't work, because both CA
certs will overlap, and certs signed by the expiring CA cert won't validate
against the new CA cert.
Also, is it only the cert's activation time must fall within the
activation/expiration time of the signing cert? Or that both activation and
expiration time of a cert must fall within the signing cert's range? Because
if clients validate the entire cert's activation/expiration range against
the signing cert's range, CAs would be forced to generate new certs whose
activation/expiration range overlaps with their expiring cert, so that certs
signed by the expiring cert remain valid, and new certs would have to be
signed by the new CA cert, since the new certs' expiration time would fall
outside of the expiring CA cert's.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 198 bytes
Desc: not available
More information about the Gnutls-help