Hi Johannes
In the Italian law the word adopted is "sospensione", the literal
translation of the english "suspension" and, sadly, the law explicitly
states that a document signed with a suspended or revoked certificate
is equivalent to a unsigned document. I agree with you that the
technical standards SHALL address this issue, but maybe IETF is not the
right forum
Ciao
Dino
Johannes Merkle wrote:
Hi Dino,
non-english speaking countries hardly use the term "suspension" in
their laws. Furthermore, the requirements imposed by the law usually
do not refer to any standards or technical solutions. This is
particularly true within the EU where electronic signatures do not
even need to deploy digital signatures.
Your appreciation regarding the source of the problems seems to
match mine: It's the limitation of technical standards to meet the
logical requirements of the legislation. (At least as long as SCVP
is not widely used.)
However, I disagree that a signature created while the certificate
was on hold must necessarily be considered invalid. This is a matter
of the certificate policy, and there are application scenarios for
suspension (reaction to unauthenticated revocation requests) where
such signatures could be regarded valid after reinstating of the
certificate. However, I do not advocate suspension as revocation and
potential certificate renewal is a better solution.
By the way: Here in Germany, suspension of qualified certificates is
considered inadmissable (at least by the supervising authority),
although there are no explicit requirements in the law and ordinance.
Johannes
Alfredo Esposito schrieb am 24.01.2008 11:35:
Hi Johannes
In my experience who write down the laws has often a poor understanding
of technical issues; therefore some words that have a very special
meaning in a technical specification are instead used in their general
meaning, causing a bit of confusion.
Suspension is one of these words, because a document signed during the
suspension should be "legally invalid" but there is no standard way of
checking a past CRL (i.e. verifying a signature at some time t<<now).
Better, there are some ways (ETSI specifications on advanced signatures,
putting the CRL in the PKCS#7 envelope) but none is generally adopted.
On the other hand, the PKI standards were developed well in advance of
the legal concept of electronic signature, a concept that is still
unclear in Europe, in spite of the EU Directive of 8 years ago
Dino Esposito
Johannes Merkle wrote:
Hi Massimiliano,
most signature laws I have seen so far had a quite clear
understanding of what they require. The problems arise from the
limitations in the technical implementations of their logical
requirements.
Johannes
Massimiliano Pala schrieb am 23.01.2008 20:20:
Hi all,
I guess that the problem with the current PKIX solution on suspension is
that it is just an extended revocation status - this means that it is
just a sub-case of revocation. In many cases this is not what you need,
and when some laws require "suspension" they have not a clear idea of
what is it, actually.
I wonder how many "non-ad-hoc" applications actually know how to correctly
handle suspension... we are still facing interoperability issues between
PKIs with respect to this issue, I guess...
Later,
Max
Ignacio Alamillo wrote:
Under Spanish law, suspension is a legal requirement (not a strictly
enforced one, but a requirement after all) and therefore many CA have
implemented it, and it is actually used.
|