Encryption and Cryptography
 » 
Bouncy Castle
 » 
Bouncy Castle - Dev

(no subject)

View: New views
2 Messages — Rating Filter:   Alert me  

(no subject)

by Massimiliano Max :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Some parts of this message have been removed. Learn more about Nabble's security policy.
Hi Rajani.

>There is a another i.e, After you generate a new CA certificate,
>maintain two copies of signed (Sign with old and new certificates)
>CRLs at CRL distribution point. Generally there will be a small
>difference between two serials so you can put them in the same
>location.
>Based the certificate you used coresponding CRL will called. Once the
>old CA certificate is expired then remove the coresponding CRL from
>the server.

I'm sure there is one 'custom' way to make things works...
However, we have to follows some 'official' rule, since we are a CA and our certificates/signature
are recognized by the italian law.

So what I need is a 'standard' way to act in these cases..
Is there an RFC that describes how a software should perform signature
verification during the migration between an old and a new CA certificate?

Thank you,
Massimiliano

Windows Live Hotmail: Your friends can get your Facebook updates, right from HotmailĀ®.

Re:

by Rajani123 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Hi,
As per x509 standard also we can have more than one CRL dp in certificate.
Maintaining two CRLs is not violating law.
Refer RFC 2459 -Internet X.509 Public Key Infrastructure Certificate
and CRL Profile.
In RFC didn't mention that we should not have more than one CRL DP.

Regards,
Rajani

On 10/23/09, Massimiliano Max <dottzero@...> wrote:

>
> Hi Rajani.
>
>>There is a another i.e, After you generate a new CA certificate,
>>maintain two copies of signed (Sign with old and new certificates)
>>CRLs at CRL distribution point. Generally there will be a small
>>difference between two serials so you can put them in the same
>>location.
>>Based the certificate you used coresponding CRL will called. Once the
>>old CA certificate is expired then remove the coresponding CRL from
>>the server.
>
> I'm sure there is one 'custom' way to make things works...
> However, we have to follows some 'official' rule, since we are a CA and our
> certificates/signature
> are recognized by the italian law.
>
> So what I need is a 'standard' way to act in these cases..
> Is there an RFC that describes how a software should perform signature
> verification during the migration between an old and a new CA certificate?
>
> Thank you,
> Massimiliano
>    
> _________________________________________________________________
> Windows Live Hotmail: Your friends can get your Facebook updates, right from
> HotmailĀ®.
> http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_4:092009


--
Thanks & Regards,
Rajani Chowdary Gali,
+91-99489-22211

Free embeddable forum powered by Nabble Forum Help