-
Type:
Bug
-
Resolution: Duplicate
-
Priority:
P3
-
None
-
Affects Version/s: 1.4.2
-
Component/s: security-libs
-
None
-
generic
-
generic
RFC 3280 allows a CA to use a separate CRL issuer. As long as the CRL issuer has the same X.500 name as the CA, the CRLs it issues are not considered "indirect CRLs." RFC 3280 does not require that relying parties support this (a MUST), but it is recommended (a SHOULD) in section 5.1.1.3. This is common practice in security-sensitive environments. The NIST Public Key Interoperability Test Suite includes several tests that require applications to support separate certificate and CRL signing keys.
Sun's CertPath builder and validator don't support them. This will cause problems in security-sensitive environments (such as with root CAs), since people will not be willing to use their CA's certificate signing key for signing CRLs. The cert signing key is typically offline with tight restrictions on how it may be used.
Fortunately, I have written the code to do this and attached it to this bug along with a test case.
Sun's CertPath builder and validator don't support them. This will cause problems in security-sensitive environments (such as with root CAs), since people will not be willing to use their CA's certificate signing key for signing CRLs. The cert signing key is typically offline with tight restrictions on how it may be used.
Fortunately, I have written the code to do this and attached it to this bug along with a test case.
- duplicates
-
-
- Resolved
-