ietf-smime
[Top] [All Lists]

Re: Certificate renewal and enveloped-data.

2004-04-07 07:07:31

"Timothy J. Miller" <tmiller(_at_)mitre(_dot_)org> writes:

I have an operational need to renew (extend the lifetime) rather than reissue
certificates, but the messages my mailers create use issuerAndSerialNumber as
the RecipientInfo pointer.  This means that after the removal of the old
certificate the enveloped messages cannot be decrypted by the mail agent.

Can't you just have two issuerAndSerialNumber index entries pointing to the
same private key?  I must admit it's not something that's come up before (I
strongly encourage users to generate new keys and not re-certify the same old
key year in, year out, which probably helps), but if you needed to do it you
could just retain the old iAndS index entry for the private key.

(Do you specifically need an MTA that does this, or will an S/MIME toolkit do?
:-).

Unfortunately, all the S/MIME mailers I have access to all use
issuerAndSerialNumber.  I've messed around trying to construct an envelop
using SKI to test without success; this could be either a failure on my part
or lack of support in the mail agent-- I can't tell which.

I don't think this will help, when you delete the old cert the sKID goes with
it, so when you lose the iAndS you also lose the sKID.

Peter.


<Prev in Thread] Current Thread [Next in Thread>