Discovery of CRL Signer Certificate Stefan Santesson Microsoft

Issues Need mechanism to find the CRL Issuer certificate when it is NOT part of the certification path Two important cases: CA Rekey Indirect CRL

Proposed solution Allow Authority Information Access (AIA) as an optional, non-critical CRL extension Advantages: Easy to implement: Reuse of the existing certificate extension that is supported most environments Effective and simple solution: Allows direct lookup using unambiguous pointer Allow instant deployment: Works with existing certificates

TA Root Cert CA1 Cert CA2 old CA2o Cert CA2 new CA2n Cert CA2 CRL EE Cert CDP AIA Case 1: CA Rekey EE (ne ed CA2 new public key to validate)

TA Root Cert CA1 Cert CA2 Cert CRL Issuer CRL Issuer Cert CRL EE Cert CDP AIA Case 2: Indirect CRL EE (ne ed CRL Issuer public key to validate)

Solving the problem with SIA SIA may be used to provide link to the CRLIssuer certificate in some cases Problems with SIA: Works ONLY if the CRLIssuer certificate and the target certificate were issued by the same CA Complex, as SIA points to all certificates issued by the CA Only supports top-down path building, yet bottom-up is the most common method in implementations May take years to deploy since critical CA certificates cannot be easily replaced

Related issues Current definition of AIA does not clearly define storage schemas and media types Would benefit from minor revision of RFC 3280 description of AIA Replace CA with authority Make appropriate changes to attribute type for DAP access Opportunity to clarify the format of AIA target (certificate or p7 file)

Way forward Write a draft defining the use of AIA as CRL extension Limit work to aspects that are specific to use in CRLs Provide input to update of RFC 3280 regarding generic AIA improvements The draft does not need these changes but would benefit from them in future