1

While searching knowledge on this, I found How do I prepare for Certificate Authority end of business?, but I don't quite seem to grasp it.

Let's say:

  1. one operates a file server X,

  2. X saves files, signatures and the public certificate information from S which was used to sign the files sent by S to X,

  3. party Y downloads the file and signature from X and wished to verify it is a file signed by S.

I believe the verification works even if the public certificate stored and later served with the file and signature by X works, but what if the CA has gone out of business or S has changed to a different provider. Is the chain of the old, saved public certificates along the data trusted anymore? If it is, how come, if the chain to CA is broken?

Although legal liability is largely a non-technical matter, if the chain is broken (see previous passage), wouldn't changing CAs allow S to evade potential issues arising on signing documents? I.e. it could technically repudiate the signatures.

<edit: I suspect this could revolve around some of the fields that state the legal entity that has requested the certificate, the company name or somesuch. Also interesting reads are SSL certificate chain verification, Manually walking through the signature validation of a certificate and PKI - Certificate Chain Validation, which lead me to believe all the certificates excluding the root CA need to be present. At least on Windows the root CA needs be installed by Microsoft, so I wonder if the root CA gets removed, what then?

Community
  • 1
Veksi
  • 259
  • 2
  • 8

1 Answers1

1

Is the chain of the old, saved public certificates along the data trusted anymore?

Yes, unless some reason for that trust to be revoked has taken place like a revocation or expiration.

If it is, how come, if the chain to CA is broken?

The chain has not been "broken." As long as all the public keys remain available, the chain is intact, regardless of any company going out of business.

unor
  • 1,769
  • 1
  • 19
  • 38
alzee
  • 184
  • 6
  • Hmm, does the "As long as all the public keys remain available" mean the public keys of the whole chain or do you mean in the context of this question all the public keys that have been used to sign the files? I'm reading at http://security.stackexchange.com/questions/59566/ssl-certificate-chain-verification and judging it, I'm led to believe all the certificates should be present when validating the signature. – Veksi Aug 03 '16 at 16:50
  • I was talking in the context of one signed file -- so all of the public keys that were involved in the signing-chain of that file. For files signed with the same key, that chain will be the same. – alzee Aug 03 '16 at 17:46