[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate suspension

To: Stephen Wilson <swilson@xxxxxxxxxxxxxxx>
Subject: Re: Certificate suspension
From: Yoav Nir <ynir@xxxxxxxxxxxxxx>
Date: Wed, 23 Jan 2008 10:41:27 +0200
Cc: ietf-pkix@xxxxxxxx
In-reply-to: <47969D3B.7030502@xxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <47969D3B.7030502@xxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

If you browse the archives of this mailing list, you will find in lateNovember and early December of 2007 a discussion of "on-holdcertificates in CRLs"

Most appear to share your sentiments about suspension, but apparentlythere are some regulatory requirements that are satisfied by thepossibility of suspension.


Yoav

On Jan 23, 2008, at 3:49 AM, Stephen Wilson wrote:

I'm wondering to what extent is X.509 certificate suspension used inpractice?
Most if not all publicly visible CPs describe suspension, in almostexactly the same way as they do revocation. Yet in my experience, Icannot ever recall a commercial CA or a closed/vertical PKI actuallydoing suspensions.
To my mind, suspension is riddled with difficulties, not anticipatedby the way CRLs work. I could go into my concerns in a separate e-mail. But if anyone can point to suspension being offered inpractice (or failing that, a critique of suspension) that would beappreciated!
Thanks in advance.

Cheers,

Stephen Wilson

References:
- Certificate suspension
  - From: Stephen Wilson

Prev by Date: Certificate suspension
Next by Date: RE: Certificate suspension
Previous by thread: Certificate suspension
Next by thread: RE: Certificate suspension
Index(es):
- Date
- Thread