Stephen Kent wrote: > > Massimiliano, > > Would not a CRL DP that holds only suspended certs achieve the effect > you attribute to a CSL? > > Steve Yes, I think this is what we definetly need. What I was wondering is if available software can disitinguish CSLs from CRLs ... As far as I know, actually Netscape does not support CRLs with extentions. Am I wrong ??? Do you know of some software supporting extentions in CRLs (widely available) ??? To issue a CRL, you'd need the CA certificate/key, but in environment where you have (for security reasons) a network-less CA how to accomplish this ??? Can you sign CRLs with a certificate that is not the CA Cert ??? I was also thinking about the OCSP service: if I can remember well the possible states for a given certificate can be Good/Revoked or Unknown only, right ??? What about, if there is not yet, adding a 'Suspended' state ??? Thank you for the reply, Massimiliano Pala (madwolf@openca.org)
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature