[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Certificate suspension

To: "Stephen Wilson" <swilson@xxxxxxxxxxxxxxx>, <ietf-pkix@xxxxxxxx>
Subject: RE: Certificate suspension
From: "Terwilliger, Ann" <aterwil@xxxxxxxx>
Date: Wed, 23 Jan 2008 08:28:47 -0800
In-reply-to: <47969D3B.7030502@xxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <47969D3B.7030502@xxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AchdbT2qdna3v7HwQFiEVOKKFe06QAAb2j+Q
Thread-topic: Certificate suspension

Actually we do use suspension.  It gives us a means of preventing the
certificate from being relied upon (assuming of course that the relying
party application recognizes the 'on hold' entry in the CRL) while we
complete the investigation to see if there really is a valid reason to
revoke the certificate.  By suspending the certificate we still have the
option to reinstate it without requiring the certificate requestor to
generate a new key pair/certificate request.  

Ann Terwilliger, CISSP | Product Director|
Visa Incorporated| 650.432.3661

NOTICE
This email message and any attachments are intended only for the use of
the addressee named above and may contain information that is privileged
and confidential.  If you are not the intended recipient, any
dissemination, distribution, or copying is strictly prohibited.  If you
received this email message in error, please immediately notify the
sender by replying to this email message or by telephone to the Visa
switchboard at 1(650) 432-3200.  Thank you.


-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx]
On Behalf Of Stephen Wilson
Sent: Tuesday, January 22, 2008 5:50 PM
To: ietf-pkix@xxxxxxxx
Subject: Certificate suspension



I'm wondering to what extent is X.509 certificate suspension used in 
practice?

Most if not all publicly visible CPs describe suspension, in almost 
exactly the same way as they do revocation.  Yet in my experience, I 
cannot ever recall a commercial CA or a closed/vertical PKI actually 
doing suspensions.

To my mind, suspension is riddled with difficulties, not anticipated by 
the way CRLs work.  I could go into my concerns in a separate e-mail. 
But if anyone can point to suspension being offered in practice (or 
failing that, a critique of suspension) that would be appreciated!

Thanks in advance.

Cheers,

Stephen Wilson
Managing Director
Lockstep

Phone +61 (0)414 488 851

www.lockstep.com.au
-------------------
  * Lockstep Technologies: ICT Secrets of Innovation Finalist 2007
  * Lockstep Technologies: Anthill / PwC Cool Company Finalist 2007
-------------------
Lockstep Consulting provides independent specialist advice and analysis
on authentication, PKI and smartcards.  Lockstep Technologies develops
unique new smart ID solutions that safeguard identity and privacy.

Follow-Ups:
- RE: Certificate suspension
  - From: Stephen Kent

References:
- Certificate suspension
  - From: Stephen Wilson

Prev by Date: Re: Certificate suspension
Next by Date: Re: rfc 3280bis
Previous by thread: Re: Certificate suspension
Next by thread: RE: Certificate suspension
Index(es):
- Date
- Thread