[cabfcert_policy] What is meant by "initial certificate issuance"?

Dean Coclin Dean_Coclin at symantec.com
Fri Aug 29 15:00:19 MST 2014 

Here's the response to NIST on this topic:


1.       Initial registration vs rekey/renewal:  Initial registration is the hardest - because there is no established identity or relationship.  Once one has a key/certificate, it is theoretically possible to use that identity to request a replacement.

>From the IR 7924 glossary:

   Re-key (a certificate): To change the value of a cryptographic key that is being used in a cryptographic system application; this normally entails issuing a new certificate that contains the new public key.

   Renew (a certificate): The act or process of extending the validity of the data binding asserted by a public key certificate by issuing a new certificate.

The concept of re-key doesn't include what leads up to the issuance of a new cert with a new key, which is where "initial" comes in. Renew is how you get long-term keys with short-term certs (for dealing with certain challenging revocation conditions, for instance).

The concept of re-validation is an attempt to get rogue entities out of the system by forcing initial registration to occur occasionally.
Any time we use "initial", it means re-applying for a certificate as if you never had a relationship with this CA before. Obviously you don't need to recollect information, but all of it should be verified. From an EV point-of-view, that's a lot of work, I would expect some discussion of how much work needs to be done, but the point is to re-establish confidence.

Non-initial rekey can be done on the strength of a new request signed with the existing key. If we are not consistent with our terms, we should probably fix that. We should also check whether our allowed validity periods accommodate non-initial rekey ("y years total with arbitrary number of non-initial rekeys during those y years" or "y years each, with possibility of n non-initial rekeys").

I asked further about this last one because we said that we didn't think this applies to SSL certs and here's the response:

Because IR 7924 says that a certificate can't be renewed beyond the key's usage period (remember, renew = same key), you'll probably never run into a renewal problem. That is, your cert validity period is probably going to be the whole key usage period to begin with. (The EV guidelines don't talk about key usage period vs cert validity period.)

Initial registration type rekey is just initial registration type rekey.
Non-initial type rekey is interesting, but I'm not sure it's any more straightforward for client certs than server certs. You'd need to have POP of the new private key, and id authn with the old private key. One would be the signature on the cert; the other would be... a signature on a challenge, carried as a CSR attribute? Is there a cert management system built to accommodate this?


From: policyreview-bounces at cabforum.org [mailto:policyreview-bounces at cabforum.org] On Behalf Of Ben Wilson
Sent: Thursday, July 24, 2014 4:36 PM
To: policyreview at cabforum.org
Subject: [cabfcert_policy] What is meant by "initial certificate issuance"?

The NISTIR document (and other PKI documents) refer to steps taken as part of "initial certificate issuance" and contrast those with steps taken during "certificate renewal".  This comes up first in section 3.2.3.1 of the NISTIR 7924.

There are lifecycle states such as re-key, re-issue, etc., which we have debated but have not fully defined.   If we recommend that "initial certificate issuance" be defined by NISTIR 7924, what is the definition?  "Initial registration" is also used.  What does that mean, or how is that different from the former?

These terms are used in sections 3.2.3.1, 3.3.1, 3.3.2, 4.6.3, 4.7.3, and 4.8.1,  and Section 3.2 of RFC 3647 is titled "Initial Identity Validation".   "Initial identity proofing" is also mentioned in section 4.8.3.

This question is also related to draft ballot 123 dealing with re-validation of information because in section 11.13 of the EVG we talk about "existing subscribers" and "the age of validated data ... before revalidation is required."

Several CABF documents make a distinction between initial proofing and information that is subsequently used for renewal.  I think we need to improve our understanding of these things.

Thoughts?  Are there any broadly accepted industry definitions we could use?
Meanwhile, I'll also take a look to see what I can find.

Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/policyreview/attachments/20140829/c49393d9/attachment-0001.html

More information about the Policyreview mailing list