|
Posted by Brian Komar [MVP] on January 14, 2006, 11:01 am
If you were Registered and logged in, you could reply and use other advanced thread options
hagaiy@yahoo.com says...
> Hello,
>
> I am providing PKI authentication to my application, I am holding a
> trusted CA's list and I would like to enable trusting subordinate CA
> in my server (I do not want to trust the root CA and other subordinate
> CA's, only a specific subordinate CA to provide certificates for
> client authentication), but this cause a problem in revocation check.
> Since I don't have the root CA in my trusted CA's list I cannot
> perform CRL's validation for the certificate chain of a client
> certificate (I cannot validate the CRL for the trusted subordinate CA
> since it is signed by a root CA)
>
> The only solution that I can think of is using two separated trusted
> CA's stores, one for authentication (that will contain only the
> specific subordinate CA) and one for revocation check (that will
> contain the root CA). Does this sound like a reasonable solution? Has
> any one done something like this and can provide some information on
> how?
>
> TX.
> Hagai.
>
>
In your own application, you could reference this "private" store. In
many ways, Windows does this as well. For example, for smart card
authentication, the smart card must:
1) Chain to a trusted root CA
2) Pass a revocation check
3) Be issued by an issuing CA that is in the NTAuth store
So you could programmatically check whether the subordinate CA is in
your "private" store.
Brian
| 
XML site map