This is a discussion on RE: Accessing encrypted messages after cert expires - Openssl ; > David Schwartz wrote: > > Michael Sierchio: > >> If it's your policy not to reuse keys, or allow their use beyond > >> the lifespan of the certificate, then the enforcement mechanism > >> for this MUST be ...
> David Schwartz wrote:
> > Michael Sierchio:
> >> If it's your policy not to reuse keys, or allow their use beyond
> >> the lifespan of the certificate, then the enforcement mechanism
> >> for this MUST be in the CA.
> I completely disagree. If this were true, CA's would generate=20
> the private key as part of the certificate issuing process.
> That doesn't follow. In any case, the only place where=20
> certificate issuing
> policy can be enforced is the RA and/or CA.
Sure, the CA makes the decision whether or not to issue a certificate. =
However, it can't make me use that certificate for anything. If I don't =
like the certificate, for any reason, I can refuse to use it.
The issue was whether the CA is the only place key policy can be =
enforced. It isn't -- I choose what key to use in the CSR, and can =
enforce any policy I want to decide what key to send. The CA can refuse =
to issue a certificate based on the CSR or could, at least in theory, =
issue a certificate with a completely different key in it. But I can =
also evaluate the key in the certificate when I make the decision =
whether to use the certificate or not.
So there are at least two other places key policy for certificates can =
be enforced other than at the CA's decision to issue the certificate.
If the only place *key* policy could be enforced was the CA, we're in =
trouble. There must be a policy that the private key not be publicly =
disclosed, and the CA has (in typical applications such as the =
Internet's TLS PKI) no ability to enforce this.
> The rest of your argument is
> just as specious, and I could make a career out of correcting your =
> but you're determined not to learn.
I agree that all of my arguments are equally specious.
OpenSSL Project http://www.openssl.org
User Support Mailing List firstname.lastname@example.org
Automated List Manager email@example.com