[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: OCSP and CSL
Massimiliano Pala wrote:
> The CSLs, let's call them CSL to distinguish from CRLs, have
> sense in env
> where there is a time gap between the 'request for cert
> revoking' by the
> user and the effective revoking by the CA: this is obvious if
> you consider
> structures where the main CA computer is disconnected from
> any network.
>
> Would you allow a certificate to be used when a user says it
> could have
> been compromised ? You can not either say it is revoked
> because it is not
> (CRLs do not report it) and there is no way to verify it till the new
> CRL is issued.
>
> With some instrument like the proposed CSLs (that is only a
> proposal, I am
> not saying it is the best or the only solution to the
> problem, I am obviously
> open to EVERY comment... :-D and hopefully to some better
> solutions) you can
> say, from the moment the user signals a danger the usage of
> the certificate
> is compromised and that itself is to be considered in a
> 'freezed' state.
>
> Am I completely out of the target ? What do you think about
> this problem ?
> Thanks for the comments you sent.
Unless I am misunderstanding your proposal, I would have thought that CSL's
would suffer the same problems as CRL's if the CA is off-line (disconnected
from the network).
In any case, this sounds like you are looking for (near) real-time
revocation. In that case, you might like to consider using an on-line
protocol such as OCSP (RFC2560). OCSP returns a status of 'good', 'revoked'
or 'unknown'. In the case of 'revoked', there is a revocation reason and
time. As has already been pointed out by Tom Gindin, one of the reasons is
certificateHold, i.e. suspended. OCSP Responders may determine the status
of the certificate in a number of ways, e.g. CRL or status lookup in a
directory.
Hope this helps.
Cheers,
Alistair Grant
Computer Associates International.
Phone: +61 3 9727 8912
Mobile: +61 408 565 080
Fax: +61 3 9727 3491
E-Mail: Alistair.Grant@cai.com