[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate suspension

Hi Dino,

non-english speaking countries hardly use the term "suspension" in
their laws. Furthermore, the requirements imposed by the law usually
do not refer to any standards or technical solutions. This is
particularly true within the EU where electronic signatures do not
even need to deploy digital signatures.

Your appreciation regarding the source of the problems seems to
match mine: It's the limitation of technical standards to meet the
logical requirements of the legislation. (At least as long as SCVP
is not widely used.)

However, I disagree that a signature created while the certificate
was on hold must necessarily be considered invalid. This is a matter
of the certificate policy, and there are application scenarios for
suspension (reaction to unauthenticated revocation requests) where
such signatures could be regarded valid after reinstating of the
certificate. However, I do not advocate suspension as revocation and
potential certificate renewal is a better solution.

By the way: Here in Germany, suspension of qualified certificates is
considered inadmissable (at least by the supervising authority),
although there are no explicit requirements in the law and ordinance.

Johannes

Alfredo Esposito schrieb am 24.01.2008 11:35:
> Hi Johannes
> In my experience who write down the laws has often a poor understanding
> of technical issues; therefore some words that have a very special
> meaning in a technical specification are instead used in their general
> meaning, causing a bit of confusion.
> Suspension is one of these words, because a document signed during the
> suspension should be "legally invalid" but there is no standard way of
> checking a past CRL (i.e. verifying a signature at some time t<<now).
> Better, there are some ways (ETSI specifications on advanced signatures,
> putting the CRL in the PKCS#7 envelope) but none is generally adopted.
> On the other hand, the PKI standards were developed well in advance of
> the legal concept of electronic signature, a concept that is still
> unclear in Europe, in spite of the EU Directive of 8 years ago
> 
> Dino Esposito
> 
> Johannes Merkle wrote:
> 
>>Hi Massimiliano,
>>
>>most signature laws I have seen so far had a quite clear
>>understanding of what they require. The problems arise from the
>>limitations in the technical implementations of their logical
>>requirements.
>>
>>Johannes
>>
>>Massimiliano Pala schrieb am 23.01.2008 20:20:
>>  
>>
>>>Hi all,
>>>
>>>I guess that the problem with the current PKIX solution on suspension is
>>>that it is just an extended revocation status - this means that it is
>>>just a sub-case of revocation. In many cases this is not what you need,
>>>and when some laws require "suspension" they have not a clear idea of
>>>what is it, actually.
>>>
>>>I wonder how many "non-ad-hoc" applications actually know how to correctly
>>>handle suspension... we are still facing interoperability issues between
>>>PKIs with respect to this issue, I guess...
>>>
>>>Later,
>>>Max
>>>
>>>
>>>
>>>Ignacio Alamillo wrote:
>>>
>>>    
>>>
>>>>Under Spanish law, suspension is a legal requirement (not a strictly
>>>>enforced one, but a requirement after all) and therefore many CA have
>>>>implemented it, and it is actually used.
>>>>      
>>>>
>>>    
>>>
>>
>>  
>>

-- 
Viele Grüße,
Johannes Merkle