-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sections 4.6, 4.7, 4.8 Certificate renewal, rekey, modification #57
Comments
@LarryFrank had submitted this (and all sub-sections): For 4.6:
For 4.7:
For 4.8:
|
For 4.8 and comparison purposes:
Symantec
|
Questions:
|
No-check means an OCSP cert cannot (effectively) be revoked. To reduce the potential, issuing short lived OCSP certs is seen as a mitigation of that security threat. Renewal is a simple and effective way to allow CAs to easily issue new certificates every 30-45 days. DoD operates this was and has done soe effectively for several years.
Current federal policy and NISTR do not require it and, operationally, there is often a need for overlap to allow for smooth transition from the current certificate to a new one.
DoD has found that having the ability to modify a CA cert allows for more flexibility in operations. Not requiring a new CA key to change a CA cert reduces complexity. Some products do not support this but some do. Subscriber certs - the difficulty in verifying attributes essentially creates the need for going through an initial authentication process anyway and there is no operational benefit. |
Both are talking about subscriber certificates and I would agree with them on that. I made the exception for CA certs (CA/B baseline say "no stipulation", by the way) because DoD finds modification of CA certs to have been very useful. E.G., adding a policy OID to a CA cert - which has no impact on the issued certs, allows the CA to be used for a purpose that may not have been known at the time of original issuance and has no security impact. Not allowing modification (policy or technology) makes things much more complicated when the PKI needs to make changes. |
Just as a data point: while current AF PKI generally follows the DoD PKI for cert policy, we do rekey/renew differently. This is short extract from our current Root CA CPS: "Root CA certificates will be re-keyed ten (10) years after initial issuance, per Section 3.3. Re-keying the Root CA certificate involves issuing a new certificate that is identical to the old one but with a new, different public key (corresponding to a new, different private key) according to the schedule and steps listed in Section 4.2." AF PKI does not support cert renewal for any NPE (CA or other device). |
Is the Device Root going to employ certificate renewal, rekey or modification for the certificates it issues? If so, these sections need to say so and the associated subsections need to be specified (by whom, under what circumstances, etc). If not, make that statement and the associated subsections become N/A.
If the Device Root does not intend to renew, rekey or modify, but will allow subordinate CAs to do so, then this needs to be explicit.
The text was updated successfully, but these errors were encountered: