[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: OCSP and CSL
Ben,
It comes down to your interpretation of suspend versus revoke. If the
network between a client and the CA goes bad and you cannot reach a CA for
a period of time an argument could be made to "suspend" certs from that CA.
If the user leaves the employ of a company one would hope that their cert
would be "revoked". No?
Regards,
Brian
At 05:27 PM 01/26/00, Ben Laurie wrote:
>Massimiliano Pala wrote:
>>
>> Stephen Kent wrote:
>> >
>> > Massimiliano,
>> >
>> > Would not a CRL DP that holds only suspended certs achieve the effect
>> > you attribute to a CSL?
>> >
>> > Steve
>>
>> Yes, I think this is what we definetly need. What I was wondering is if
>available
>> software can disitinguish CSLs from CRLs ... As far as I know, actually
>Netscape
>> does not support CRLs with extentions. Am I wrong ???
>>
>> Do you know of some software supporting extentions in CRLs (widely
>available) ???
>>
>> To issue a CRL, you'd need the CA certificate/key, but in environment
>where you
>> have (for security reasons) a network-less CA how to accomplish this ???
>Can you
>> sign CRLs with a certificate that is not the CA Cert ???
>
>Since a suspended certificate is as unusable as a revoked one, it makes
>no sense to me to permit _any_ differences between the creation of a
>suspension and the creation of a revocation. Which means that there's
>little point in supporting suspension at all.
>
>Cheers,
>
>Ben.
>
>--
>SECURE HOSTING AT THE BUNKER! http://www.thebunker.net/hosting.htm
>
>http://www.apache-ssl.org/ben.html
>
>Y19100 no-prize winner!
>http://www.ntk.net/index.cgi?back=2000/now0121.txt
>
Brian Ford
Consulting Engineer, CCIE #2106
Cisco Systems Inc.