Re: Certificate suspension

[Yoav Nir <ynir@xxxxxxxxxxxxxx>]

On Jan 27, 2008, at 4:20 AM, Eric Norman wrote:
> On Jan 26, 2008, at 7:06 PM, Stephen Wilson wrote:
>
> > I could try to
> > deny making the payment, and to bolster my case, I could say to a  
> > judge
> > "Look Your Honour, there was no 'non-repudiation' in the transaction
> > technology, therefore I can repudiate it!".  Fat chance!!  So if the
> > absence of an NR bit will not help me win the case, the presence of  
> > an
> > NR bit cannot be defining of a legal position either.]
> ...
>
> > makes it very difficult to take a signature created at some time in
> > the past and determine from CRLs and delta CRLs whether or not the
> > certificate was valid at that time.
>
> Since we're talking about court cases here, it's not obvious to me  
> that
> the court would even care about whether certificates used for signing
> were valid at signing time.  The only things a court might care about
> is whether the signer had the *intent* to sign, or the signature was
> under duress, or something like that.

I don't think you can prove duress, no matter how much cryptography or  
certificate policy you throw at it. The only claim that's relevant to  
certificates in court is a claim that "some other dude" signed this  
transaction. As long as I signed it, it makes no difference if the  
certificate is suspended, revoked, expired or in its "not before"  
period.

> I have a suspicion, and hope, that these attempts to design  
> "electronic
> justice" result in nothing more than discussions on mailing lists.

Eventually it can be hoped that signatures done with a certificate  
that was already revoked (and deployed in the CRL) should not be  
binding.
Same should go for certificates that were suspended at the time, and  
not subsequently re-enabled.