Re: Certificate suspension

[Russ Housley <housley@xxxxxxxxxxxx>]

I have said many times that I wish we had deprecated certificate 
suspension in RFC 2459 and all of its successors.  As you say, it is 
riddled with difficulties, and those have been discussed many times 
over the years.

When we were working on RFC 2459 someone from the financial community 
argued that it was needed.  So, it was not deprecated.   You can look 
at the archives for the recurring discussion.

Russ

At 08:49 PM 1/22/2008, Stephen Wilson wrote:


> I'm wondering to what extent is X.509 certificate suspension used in practice?
>
> Most if not all publicly visible CPs describe suspension, in almost 
> exactly the same way as they do revocation.  Yet in my experience, I 
> cannot ever recall a commercial CA or a closed/vertical PKI actually 
> doing suspensions.
>
> To my mind, suspension is riddled with difficulties, not anticipated 
> by the way CRLs work.  I could go into my concerns in a separate 
> e-mail. But if anyone can point to suspension being offered in 
> practice (or failing that, a critique of suspension) that would be appreciated!
>
> Thanks in advance.
>
> Cheers,
>
> Stephen Wilson
> Managing Director
> Lockstep
>
> Phone +61 (0)414 488 851
>
> www.lockstep.com.au
> -------------------
>  * Lockstep Technologies: ICT Secrets of Innovation Finalist 2007
>  * Lockstep Technologies: Anthill / PwC Cool Company Finalist 2007
> -------------------
> Lockstep Consulting provides independent specialist advice and analysis
> on authentication, PKI and smartcards.  Lockstep Technologies develops
> unique new smart ID solutions that safeguard identity and privacy.