[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate suspension

Hi Johannes
In my experience who write down the laws has often a poor understanding of technical issues; therefore some words that have a very special meaning in a technical specification are instead used in their general meaning, causing a bit of confusion.
Suspension is one of these words, because a document signed during the suspension should be "legally invalid" but there is no standard way of checking a past CRL (i.e. verifying a signature at some time t<<now). Better, there are some ways (ETSI specifications on advanced signatures, putting the CRL in the PKCS#7 envelope) but none is generally adopted.
On the other hand, the PKI standards were developed well in advance of the legal concept of electronic signature, a concept that is still unclear in Europe, in spite of the EU Directive of 8 years ago

Dino Esposito

Johannes Merkle wrote: 
Hi Massimiliano,

most signature laws I have seen so far had a quite clear
understanding of what they require. The problems arise from the
limitations in the technical implementations of their logical
requirements.

Johannes

Massimiliano Pala schrieb am 23.01.2008 20:20:
  
Hi all,

I guess that the problem with the current PKIX solution on suspension is
that it is just an extended revocation status - this means that it is
just a sub-case of revocation. In many cases this is not what you need,
and when some laws require "suspension" they have not a clear idea of
what is it, actually.

I wonder how many "non-ad-hoc" applications actually know how to correctly
handle suspension... we are still facing interoperability issues between
PKIs with respect to this issue, I guess...

Later,
Max



Ignacio Alamillo wrote:

    
Under Spanish law, suspension is a legal requirement (not a strictly
enforced one, but a requirement after all) and therefore many CA have
implemented it, and it is actually used.