Brian Ford wrote: > > Massimiliano, > > I'm no expert but my read of the RFCs is a little different. > > The CSL which you describe seems to me like a subset of a CRL. If you made > a query at a CA for that info I'd guess that the current CRL at the CA > would be parsed to deliver your answer. The response would be in the form > of a list. So depending on the CRL lifetime, that info may (or may not) be > current. > > Using OCSP on the other hand the request would be made to a CA regarding a > specific cert. The CA would be queried directly for a response (so the > info would be current). The response would be either good, revoked or unknown. > > Comments? > > Regards, > > Brian > Sorry, probably I left out the main point. It is true that this can be done with a subset of CRLs but if you refer to the network-disconnected CA model, the revokation gets with some delay from the moment the user submits a 'request for revoking'. The point is: can I sign a CRL using not the CA certificate ??? Will this be trusted by today applications ?? Also consider this: I cannot find my smartcard... I suppose I left it at my friend's house, but I am not sure... So I ask for a suspesion of the service. Then I go to my friend's house and I find my smartcard... so the certificate have never been in danger, I can ask the CA Org not to revoke it and from the suspended state it returns to the Valid state. Another question I have for the list: it is allowed signing a CRL with a revokation date prior to the time of the effective revoking ??? Let's say I have a request for revoking, can I use the time of the receiving of the request instead of the time when the CA Operatorphisically does the revokation ??? C'you, Massimiliano Pala (madwolf@openca.org)
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature