[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Certificate suspension

To: "Terwilliger, Ann" <aterwil@xxxxxxxx>
Subject: RE: Certificate suspension
From: Stephen Kent <kent@xxxxxxx>
Date: Wed, 23 Jan 2008 11:47:59 -0500
Cc: "Stephen Wilson" <swilson@xxxxxxxxxxxxxxx>, <ietf-pkix@xxxxxxxx>
In-reply-to: <E5641FC3F848364D8AC48CEC14655D490362EF20@xxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <47969D3B.7030502@xxxxxxxxxxxxxxx> <E5641FC3F848364D8AC48CEC14655D490362EF20@xxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


At 8:28 AM -0800 1/23/08, Terwilliger, Ann wrote:

Actually we do use suspension.  It gives us a means of preventing the
certificate from being relied upon (assuming of course that the relying
party application recognizes the 'on hold' entry in the CRL) while we
complete the investigation to see if there really is a valid reason to
revoke the certificate.  By suspending the certificate we still have the
option to reinstate it without requiring the certificate requestor to
generate a new key pair/certificate request.

A new cert request need not entail a new key pair. The bundling ofthese two makes the process more painful for the Subject, and thusprovides greater justification for suspension vs. revocation, butsuch bundling is NOT required by the standards.


Steve

References:
- Certificate suspension
  - From: Stephen Wilson
- RE: Certificate suspension
  - From: Terwilliger, Ann

Prev by Date: Re: rfc 3280bis
Previous by thread: RE: Certificate suspension
Index(es):
- Date
- Thread