[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Certificate suspension
We run a national health card project in Austria with 10 million cards issued [1](Mr. Merkle mentioned it), each with digital signature based on ECDSA (P-192) and X.509 public-key certificates. The employed PKI supports certificate suspension using the onHold reason code in the sense of "certificate revocation is under investigation - try later". There are CRLs and OCSP for revocation checking.
An external CA [2] provides additional qualified certificates for the cards based on the Austrian Signature Act ([3] and [4] §10 (7)), which also mandates this type of suspension.
An analysis showed that this really safes money because several thousand certificates/cards that were set onHold were re-activated and we did not have to issue a new card.
As far as I know, onHold is the only means in PKIX/X.509 for implementing certificate suspension. Deprecating this feature seems impossible to me as long as PKIX/X.509 does not offer an alternative option for implementing this requirement, and as we can see from various postings, we face this requirement frequently.
[1] English information about the e-card project: http://www.chipkarte.at/portal/index.html;jsessionid=C88A207E80EA852A1495B3E051C22D7F?ctrl:cmd=render&ctrl:window=ecardportal.channel_content.cmsWindow&p_menuid=52069&p_tabid=5
[2] A-Trust, http://www.a-trust.at/
[3] Austrian Signature Act, http://www.signatur.rtr.at/en/legal/sigg.html (German)
[4] Austrian Signature Ordinance, http://www.signatur.rtr.at/en/legal/sigv.html (German)
regards
Karl Scheibelhofer
--
SVC
Sozialversicherungs-Chipkarten Betriebs- und Errichtungsges.m.b.H. - SVC A-1020 Wien, Raimundgasse 1
T: +43 50 124 714 - 4262
F: +43 50 124 714 - 3776
karl.scheibelhofer@xxxxxxxxx
www.svc.co.at
FN: 206187t, Handelsgericht Wien
DVR: 3000966
UID: ATU52613104