%% You should probably cite draft-wang-lamps-root-ca-cert-rekeying-01 instead of this revision. @techreport{wang-lamps-root-ca-cert-rekeying-00, number = {draft-wang-lamps-root-ca-cert-rekeying-00}, type = {Internet-Draft}, institution = {Internet Engineering Task Force}, publisher = {Internet Engineering Task Force}, note = {Work in Progress}, url = {https://datatracker.ietf.org/doc/draft-wang-lamps-root-ca-cert-rekeying/00/}, author = {Guilin WANG and Yanjiang Yang and Jie Zhang}, title = {{Root CA Certificate Rekeying in the Scenario of Post Quantum Migration}}, pagetotal = 10, year = , month = , day = , abstract = {In the public key infrastructures (PKIs), root certifcation authority (CA) certificate rekeying is crucial to guarantee business continuity. Two approaches are given in {[}RFC4210{]} for entities which are belonging to different generations to verify each other's certificate chain. However, these two approaches rely on the assumption that the old entities can be updated. In this draft, we propose a one-way link certificate based solution such that old entities are transparent to root CA certificate rekeying. Namely, during the overlapping lifetime of two root CA certificates, without any update in old entities, old and new entities can verify each other's certificate chain smoothly. Furthermore, the proposed solution works in both traditional PKIs, and post-quantum (PQ) PKIs, where the cerficate can be pure PQ ones or hybrid ones.}, }