I've skimmed the last year or so of the archive, but without a dedicated
search function it's kind of hard to tell what's been previously discussed.
I was wondering if the issue of renewing certificates (i.e., same key
material, different validity & serial, possibly different DN) has arisen
before the WG and if anyone could point me to the relevant threads (or
perhaps would be willing to discuss the subject on- or off-list).
I have an operational need to renew (extend the lifetime) rather than
reissue certificates, but the messages my mailers create use
issuerAndSerialNumber as the RecipientInfo pointer. This means that
after the removal of the old certificate the enveloped messages cannot
be decrypted by the mail agent. It seems to me that if the
RecipientInfo were set to subjectKeyIdentifier, old messages could still
be decrypted with renewed certificates (assuming that SKI is set to the
key's hash as recommended), even after the old certificate is removed.
Unfortunately, all the S/MIME mailers I have access to all use
issuerAndSerialNumber. I've messed around trying to construct an
envelop using SKI to test without success; this could be either a
failure on my part or lack of support in the mail agent-- I can't tell
which.
Thanks in advance.
--
-- Timothy J. Miller
( The MITRE Corporation )