LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Replacing an expired certificate with a new one

Replacing an expired certificate with a new one

Posted Mar 31, 2011 9:46 UTC (Thu) by epa (subscriber, #39769)
Parent article: Fallout from the fraudulent SSL certificates

When a certificate changes, CP will examine the new certificate and rate the likelihood that it indicates some kind of attack. For example, CP tries to detect certificates that were replaced because they were near to their expiration, and rates that change appropriately.
When a certificate is replaced, a keypair certified by the old certificate could be used to sign the new certificate. Then you'd be able to check that the new certificate was issued to the same person, in some sense, as the old certificate. This is an additional check, as well as choosing which CAs to trust.

(Log in to post comments)

Replacing an expired certificate with a new one

Posted Mar 31, 2011 13:27 UTC (Thu) by erwbgy (subscriber, #4104) [Link]

I don't see how that would work. Certificates are just signed public keys and if you encrypt something with a public key (a signature is basically an encrypted digest) it can only be decrypted by the corresponding private key. If you sign the new certificate with the old certificate then only someone with the private key would be able to verify the signature and third-parties don't have that.

Or perhaps your proposed scheme doesn't work like that?

Replacing an expired certificate with a new one

Posted Mar 31, 2011 13:43 UTC (Thu) by epa (subscriber, #39769) [Link]

Yes, I'm a bit shaky on the terminology here and I thought somebody might spot that.

So, a certificate is a signed public key. That public key has a corresponding private key. Use the old private key to sign the new certificate. Then somebody who has your old public key (given by the old certificate) can use it to verify the new certificate. Even if the old certificate is expired, you can still use it for the limited task of checking the new one (or better, the cert should have two expiry dates, one for general use, and a longer one just for validating its successor).

This makes sure that whoever has the new keypair, identified by the new certificate, also has the old keypair. In other words it provides some measure of making sure the same person or entity controls the new private key as the old. If, additionally, the old certificate is near or past its expiry date, and the new certificate is signed by one or more CAs that you trust, then you have a reasonable certainty that the new cert is genuine. This is better than relying on CAs alone.

Replacing an expired certificate with a new one

Posted Apr 1, 2011 13:29 UTC (Fri) by knobunc (subscriber, #4678) [Link]

It is a good idea, but it only helps you if you have the old public key. It certainly adds another layer of trust that Certificate Patrol can make use of.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds