> David Schwartz wrote:

> > Michael Sierchio:

> >> If it's your policy not to reuse keys, or allow their use beyond
> >> the lifespan of the certificate, then the enforcement mechanism
> >> for this MUST be in the CA.

> I completely disagree. If this were true, CA's would generate=20
> the private key as part of the certificate issuing process.

> That doesn't follow. In any case, the only place where=20
> certificate issuing
> policy can be enforced is the RA and/or CA.

Sure, the CA makes the decision whether or not to issue a certificate. =
However, it can't make me use that certificate for anything. If I don't =
like the certificate, for any reason, I can refuse to use it.

The issue was whether the CA is the only place key policy can be =
enforced. It isn't -- I choose what key to use in the CSR, and can =
enforce any policy I want to decide what key to send. The CA can refuse =
to issue a certificate based on the CSR or could, at least in theory, =
issue a certificate with a completely different key in it. But I can =
also evaluate the key in the certificate when I make the decision =
whether to use the certificate or not.

So there are at least two other places key policy for certificates can =
be enforced other than at the CA's decision to issue the certificate.

If the only place *key* policy could be enforced was the CA, we're in =
trouble. There must be a policy that the private key not be publicly =
disclosed, and the CA has (in typical applications such as the =
Internet's TLS PKI) no ability to enforce this.

> The rest of your argument is
> just as specious, and I could make a career out of correcting your =

> but you're determined not to learn.

I agree that all of my arguments are equally specious.


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org