[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Doubt regarding the cert that signs the CRL

To: Chandra Sekhar Suram <suram@intotoinc.com>
Subject: Re: Doubt regarding the cert that signs the CRL
From: Tony Earnshaw <tonni@billy.demon.nl>
Date: 10 Aug 2002 19:08:23 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <5.1.0.14.0.20020810195626.009ea130@172.16.1.10>
References: <5.1.0.14.0.20020810195626.009ea130@172.16.1.10>

lør, 2002-08-10 kl. 16:30 skrev Chandra Sekhar Suram:

> Should the certificate that signs the CRL be the same cert that signs the 
> end-entity's certificates?

Certificate Authorities (CAs) are organized in chains, stemming from the
root CA (Verisign, Thawte etc.; even your own, self-constructed 
Certificate Authority). CAs in the chain are authorized to sign and
revoke CAs.

Only the CA in the particular chain, or that/those above it, kan revoke
a certificate and thus add a certificate to a Certificate Revoke List.

CAs that are recognized by other root CAs and are part of the hierarchy
can revoke a CA certificate. If your own or anybody elses, CA is not
part of a defined chain, it obviously can't revoke a certificate in
another, independant, chain.

> or Can any other certificate(ie., authorised to do so) can sign the CRL?

One doesn't "sign a CRL" one "adds to a CRL." CRLS are propagated within
a hierarchy, a chain.

> Since we do not know from where we are getting the data for an Ldap 
> request, some imposter may be sending false data with the same issuer name.

Ain't possible. *Try it!*

> ie., How can we verify the Ldap response?

What ldap response? Do you mean: "How can we verify that a CA is what he
says he is?". Well, we tell our systems to do so. Most security-aware
SSL software has built-in trusted authorities. Netscape browsers,
Openssl, Microsoft browsers, etc. Any CAs besides these need to be added
to a list of recognized CAs. Openldap does this, amongst other places,
in /etc/ldap.conf. One of those "other places" is ~/ldaprc. If Openldap
doesn't recognize a CA through its hard wiring and we don't include the
CA location in one or more of these configuration files, then the signed
certificate will not be recognized and any connection request wil be
summarily refused.

Actually, one of the things that I don't understand about Openldap is,
that we don't tell it where to look for CRLs. We include CRLs in PKCS#12
bundles, we tell FreeS/WAN where the CRL is - what about Openldap?

Hope this helps,

Best,

Tony

-- 

Tony Earnshaw

The usefulness of RTFM is vastly overrated.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981

Attachment: signature.asc
Description: Dette er en digitalt signert meldingsdel

References:
- Doubt regarding the cert that signs the CRL
  - From: Chandra Sekhar Suram <suram@intotoinc.com>

Prev by Date: Doubt regarding the cert that signs the CRL
Next by Date: Re: Doubt regarding the cert that signs the CRL
Index(es):
- Chronological
- Thread