> David Schwartz wrote: > > Michael Sierchio:
> >> If it's your policy not to reuse keys, or allow their use beyond > >> the lifespan of the certificate, then the enforcement mechanism > >> for this MUST be in the CA. > I completely disagree. If this were true, CA's would generate > the private key as part of the certificate issuing process. > That doesn't follow. In any case, the only place where > certificate issuing > policy can be enforced is the RA and/or CA. Sure, the CA makes the decision whether or not to issue a certificate. However, it can't make me use that certificate for anything. If I don't like the certificate, for any reason, I can refuse to use it. The issue was whether the CA is the only place key policy can be enforced. It isn't -- I choose what key to use in the CSR, and can enforce any policy I want to decide what key to send. The CA can refuse to issue a certificate based on the CSR or could, at least in theory, issue a certificate with a completely different key in it. But I can also evaluate the key in the certificate when I make the decision whether to use the certificate or not. So there are at least two other places key policy for certificates can be enforced other than at the CA's decision to issue the certificate. If the only place *key* policy could be enforced was the CA, we're in trouble. There must be a policy that the private key not be publicly disclosed, and the CA has (in typical applications such as the Internet's TLS PKI) no ability to enforce this. > The rest of your argument is > just as specious, and I could make a career out of correcting your errors, > but you're determined not to learn. I agree that all of my arguments are equally specious. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
