help-gnutls
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Protocol for renewing CA certs

From: Sam Varshavchik
Subject: Re: Protocol for renewing CA certs
Date: Sun, 25 Sep 2011 14:52:24 -0400 
Nikos Mavrogiannopoulos writes:


On 09/24/2011 05:14 PM, Sam Varshavchik wrote:

A logistical question occured to me, while I was browsing through the
code that verifies certificates.

_gnutls_verify_certificate2() locates a certificate's signing CA by
invoking find_issuer(), which searches the list of trusted CAs. The
search simply compares each CA's entire DN against the certificate's
issuer's DN.
Once a matching DN is found, _gnutls_verify_certificate2() tries that CA
cert, and if it doesn't work it does not look for any other DNs that match.
In gnutls 3.0.x _gnutls_verify_certificate2() will only check against the latest valid issuer. Check the find_issuer() function in the same file.
I'll look it up, but I'm also trying to work this out in my head. It seems to me that it shouldn't be merely the latest valid issuer, but rather a strict match against the activation and expiration time range, so that a certificate should get checked against a CA cert whose activation/expiration time includes the certificate's expiration time. That's because new CA certs must be distributed in advance of the expiration of existing CA certs, so there would be a transition period where both certs are placed in trusted chains, and existing certs won't validate, of course, against the new cert. Additionally, for this to work, I think that the CAs must generate new certs whose activation time is specified to be exactly the expiration time of the expiring cert, and continue to sign certificates with the expiring cert up until it actually expires, then immediately switch to the new cert.
I don't know if this is exactly what the CAs do, or whether they activate new CA certs in advance of the existing CA cert's expiration, and sign new certs using the new CA cert. If they do that, then it seems to me that even the logic of using just the latest CA cert wouldn't work, because both CA certs will overlap, and certs signed by the expiring CA cert won't validate against the new CA cert.
Also, is it only the cert's activation time must fall within the activation/expiration time of the signing cert? Or that both activation and expiration time of a cert must fall within the signing cert's range? Because if clients validate the entire cert's activation/expiration range against the signing cert's range, CAs would be forced to generate new certs whose activation/expiration range overlaps with their expiring cert, so that certs signed by the expiring cert remain valid, and new certs would have to be signed by the new CA cert, since the new certs' expiration time would fall outside of the expiring CA cert's.

Attachment: pgpgZWltHRthf.pgp
Description: PGP signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]