| | | | | | | | |
|
|
|
You're here: Home |
At 11:23 AM +1000 4/18/07, Geoff Huston wrote:
D) The new CA needs a new key. So ISP requests one through the signing protocol. However, if the RE uses a sneaker-net, then ISP will have to wait for the key to be generated... Only then can it send the request to the IR.Usually a CA provides the key, so this is an issue only if the ISP is asking the issuer to create the key pair as well as issue the cert. In that case, do we expect the ISP to outsource the operation of its CA entirely? if so, it need not ever know the private key, which avoids the delay cited here.I read this as saying that the ISP has to create a new instance of a key pair and then use the private key to sign the certificate request that is to be passed to the issuer. There would be a signing delay if some off-line signing system is used by the ISP as far as I can tell.If the ISP (Subject) is dong everything for itself, then there is no problem, i.e., the public key is laced i the cert request by the Subject, as is the usual case. The question I was asking is whether the Issuer was offering two alternate services or just one: - Issuer generates key pair for ISP, but ISP still does te rest of he work for itself, and thus needs the private key - ISP has out-sourced ALL CA functions to the Issuer, and thus never needs to know the private keyI'm not sure which of these you have in mind, or whether there is a third one.In my mind the ISP is "defined" by an instance of this "CA Engine". Whether this CA Engine is run on a platform hosted at the ISP, or whether the ISP outsources the operation of this "CA Engine" to a third party (or even the Issuer) does not affect the set of interactions between the ISP's CA Enginer instance and the Issuer's CA Engine instance.Using this form of conceptualization I see the sequence of actions as being:1 - The ISP CA Engine instance generates a new key pair (the private part is held somewhere Safe - the Public part could be considered the sucess return value of this action) 2 - The ISP CA engine uses the public key (and other information as required) to construct a Cert Request 3 - The ISP CA Engine passes the Cert request to the key signing operation (online or offline) for signing with the private key 4 - The ISP's CA Engine passes the signed cert request to the Issuer's CA Engine via a Certificate Issuance Request message.Does this form of looking at the actions make the sequence of events consistent irrespective of whether the the CA function is outsourced (or not!)?
I think your way of characterizing the ISP makes sense, and is uniform, which is very helpful. Again, this seems to establish a requirement that the software you distribute include the separate set of protocols that enable the ISP to arrange the outsourced function, so that the uniform interface you describe above can be used from the start.
Steve
