Discovery%20of%20CRL%20Signer%20Certificate

1
Discovery of CRL Signer Certificate

• Stefan Santesson
• Microsoft

2
Issues

• Need mechanism to find the CRL Issuer certificate
  when it is NOT part of the certification path
• Two important cases
• CA Rekey
• Indirect CRL

3
Proposed solution

• Allow Authority Information Access (AIA) as an
  optional, non-critical CRL extension
• Advantages
• Easy to implement Reuse of the existing
  certificate extension that is supported most
  environments
• Effective and simple solution Allows direct
  lookup using unambiguous pointer
• Allow instant deployment Works with existing
  certificates

4
Case 1 CA Rekey
Root Cert
TA
CA1 Cert
CA1
CA2o Cert
CA2n Cert
CA2 old
CA2 new
CA2 CRL
EE Cert
EE
(need CA2 new public key to validate)
5
Case 2 Indirect CRL
Root Cert
TA
CRL Issuer Cert
CA1 Cert
CRL Issuer
CA1
CA2 Cert
CRL
CA2
EE Cert
(need CRL Issuer public key to validate)
EE
6
Solving the problem with SIA

• SIA may be used to provide link to the CRLIssuer
  certificate in some cases
• Problems with SIA
• Works ONLY if the CRLIssuer certificate and the
  target certificate were issued by the same CA
• Complex, as SIA points to all certificates issued
  by the CA
• Only supports top-down path building, yet
  bottom-up is the most common method in
  implementations
• May take years to deploy since critical CA
  certificates cannot be easily replaced

7
Related issues

• Current definition of AIA does not clearly define
  storage schemas and media types
• Would benefit from minor revision of RFC 3280
  description of AIA
• Replace CA with authority
• Make appropriate changes to attribute type for
  DAP access
• Opportunity to clarify the format of AIA target
  (certificate or p7 file)

8
Way forward

• Write a draft defining the use of AIA as CRL
  extension
• Limit work to aspects that are specific to use in
  CRLs
• Provide input to update of RFC 3280 regarding
  generic AIA improvements
• The draft does not need these changes but would
  benefit from them in future