[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: OCSP and CSL

To: Massimiliano Pala <madwolf@xxxxxxxxxxxxxxxx>
Subject: RE: OCSP and CSL
From: Peter Williams <peterw@xxxxxxxxxxxx>
Date: Wed, 26 Jan 2000 16:42:54 -0800
Cc: ietf-pkix@xxxxxxx


RFC 2459 states, quite simply, the material quoted below. You 
can independently verify this assertion at:

ftp://ftp.isi.edu/in-notes/rfc2459.txt

Other important processing rules and related material may be 
found searching for the term "hold" in the RFC. For example

"(3) the certificate had not been revoked at time T and is not
         currently on hold status that commenced before time T, (this
         may be determined by obtaining the appropriate CRL or status
         information, or by out-of-band mechanisms)"

One can define new hold oids at will. The Open CA community
can invent its own if those of ANSI/PKIX are not suitable.

read the instructions on "id-holdinstruction-reject" in combination
with rule (3) (above) carefully.

Your CSL idea can  be fashioned today from a CRL, which uses the
CRL entry extension as specified in 2459, and which is
quoted below.

OpenCA will need to build its own code. The NSA-related toolkits do
not seem to support this particular element.

Peter.



-----Original Message-----
From: Stephen Kent [mailto:kent@bbn.com]
Sent: Wednesday, January 26, 2000 10:36 AM
To: Massimiliano Pala
Cc: ietf-pkix@imc.org
Subject: Re: OCSP and CSL

 
Finally, I have to agree with Russ. I am not fond of suspension as a 
revocation declaration and since 2459 disparages use of this 
facility, I don't think we should spend lots of time on this issue.

Steve



RFC 2459:



"
5.3.2  Hold Instruction Code

   The hold instruction code is a non-critical CRL entry extension that
   provides a registered instruction identifier which indicates the
   action to be taken after encountering a certificate that has been
   placed on hold.

   id-ce-holdInstructionCode OBJECT IDENTIFIER ::= { id-ce 23 }

   holdInstructionCode ::= OBJECT IDENTIFIER

   The following instruction codes have been defined.  Conforming
   applications that process this extension MUST recognize the following
   instruction codes.

   holdInstruction    OBJECT IDENTIFIER ::=
                    { iso(1) member-body(2) us(840) x9-57(10040) 2 }

   id-holdinstruction-none   OBJECT IDENTIFIER ::= {holdInstruction 1}
   id-holdinstruction-callissuer
                             OBJECT IDENTIFIER ::= {holdInstruction 2}
   id-holdinstruction-reject OBJECT IDENTIFIER ::= {holdInstruction 3}

   Conforming applications which encounter an id-holdinstruction-
   callissuer MUST call the certificate issuer or reject the
   certificate.  Conforming applications which encounter an id-



Housley, et. al.            Standards Track                    [Page 50]


RFC 2459        Internet X.509 Public Key Infrastructure    January 1999


   holdinstruction-reject MUST reject the certificate. The hold
   instruction id-holdinstruction-none is semantically equivalent to the
   absence of a holdInstructionCode, and its use is strongly deprecated
   for the Internet PKI."

Prev by Date: Re: OCSP and CSL
Next by Date: RE: IETF and ISO alignment on Time Stamping
Previous by thread: RE: OCSP and CSL
Next by thread: RE: OCSP and CSL
Index(es):
- Date
- Thread