On Tue, Mar 18, 2008 at 1:58 PM, Michael Sierchio wrote:
> David Schwartz wrote:
> > Michael Sierchio:
> >
> >> If it's your policy not to reuse keys, or allow their use beyond
> >> the lifespan of the certificate, then the enforcement mechanism
> >> for this MUST be in the CA.

> >
> > I completely disagree. If this were true, CA's would generate the private key as part of the certificate issuing process.

>
> That doesn't follow. In any case, the only place where certificate issuing
> policy can be enforced is the RA and/or CA. The rest of your argument is
> just as specious, and I could make a career out of correcting your errors,
> but you're determined not to learn.
>
> - M


First: don't degenerate into personal 'ethos' attacks.

Second: there's a difference between 'certificate issuing policy' and
'key usage policy'.

Certificate issuance is a statement of identity binding for a given
key at a given assurance. No more, no less.
Key Usage is a statement of "how long a key may be appropriately used
for what it's being used for". No more, no less.

A CA does not and cannot specify the value of the data which can be
encrypted or protected by any given key. It specifies things that
third parties can know and rely on. Only the principal itself can
know what it's actually going to use the key for.

Remember, the CA (and X.509 certificate chains) are only a relatively
efficient means of transferring trust via policy. It is NOT the only
way to transfer trust. (remember that trust anchors can be
arbitrarily created, trusted, untrusted, removed, whathaveyou by
anyone who creates a policy -- that is, anyone who owns or controls a
computer system.)

Please remember that there are uses for keys outside the PKI. This is
why private key storage formats should have a timestamp-of-generation,
even if you can't see any use for such a field inside the PKI -- and
even though I can.

-Kyle H
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org