[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: OCSP and CSL

To: "'Massimiliano Pala'" <madwolf@xxxxxxxxxxxxxxxx>, "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>
Subject: RE: OCSP and CSL
From: Ambarish Malpani <ambarish@xxxxxxxxxxxx>
Date: Wed, 26 Jan 2000 21:18:14 -0800

Hi Massimiliano,
    Yes, you can indicate that a certificate is suspended
in OCSP - you return a status of revoked and in
singleExtensions, include a reasonCode extension, with a
CRLReason of certificateHold.

Hope this clarifies the issue.

Regards,
Ambarish

P.S. This extension is not explicitly mentioned in the draft, but we
do say that we support all CRL Entry Extensions (see section 4.4.5
of RFC 2560).


---------------------------------------------------------------------
Ambarish Malpani
Architect                                                650.567.5457
ValiCert, Inc.                                  ambarish@valicert.com
1215 Terra Bella Ave.                         http://www.valicert.com
Mountain View, CA 94043-1833


> -----Original Message-----
> From: Massimiliano Pala [mailto:madwolf@comune.modena.it]
> Sent: Tuesday, January 25, 2000 4:39 PM
> To: Russ Housley
> Subject: Re: OCSP and CSL
> 
> 
> Russ Housley wrote:
> > 
> > Massimiliano:
> > 
> > I do not think that we should do anything to encourage CAs 
> to suspend
> > certificates.  This feature adds significant complexity to the whole
> > system, and we should discourage it's use.
> > 
> > Russ
> > 
> 
> You are right saying that adding complexity should be 
> discouraged, by the
> way I suggested them because we need something like that (I 
> am from the
> OpenCA project). Let me explain in more details why I think something
> similar could come in handy.
> 
> The CSLs, let's call them CSL to distinguish from CRLs, have 
> sense in env
> where there is a time gap between the 'request for cert 
> revoking' by the
> user and the effective revoking by the CA: this is obvious if 
> you consider
> structures where the main CA computer is disconnected from 
> any network.
> 
> Would you allow a certificate to be used when a user says it 
> could have
> been compromised ? You can not either say it is revoked 
> because it is not
> (CRLs do not report it) and there is no way to verify it till the new
> CRL is issued.
> 
> With some instrument like the proposed CSLs (that is only a 
> proposal, I am
> not saying it is the best or the only solution to the 
> problem, I am obviously
> open to EVERY comment... :-D and hopefully to some better 
> solutions) you can
> say, from the moment the user signals a danger the usage of 
> the certificate
> is compromised and that itself is to be considered in a 
> 'freezed' state.
> 
> Am I completely out of the target ? What do you think about 
> this problem ?
> Thanks for the comments you sent.
> 
> C'you,
> 
> 	Massimiliano Pala (madwolf@openca.org)
>

Prev by Date: RE: OCSP and CSL
Next by Date: Re: LAST CALL:draft-ietf-pkix-time-stamp-05.txt
Previous by thread: RE: OCSP and CSL
Next by thread: RE: OCSP and CSL
Index(es):
- Date
- Thread