[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OCSP and CSL

To: Brian Ford <brford@xxxxxxxxx>
Subject: Re: OCSP and CSL
From: Russ Housley <housley@xxxxxxxxxx>
Date: Thu, 27 Jan 2000 09:56:33 -0500
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>
References: <><><><>

A particular client can always refuse to accept certificates from a particular CA. I would assume that a CA that does not have a certificate path back to a trust anchor is one such example. Other rules could also cause a client to reject certificates from a CA. These rules have nothing whatsoever to do with suspended certificates or revoked certificates.

In general, the CA that issues a certificate is responsible for suspending it or revoking it. The CA can delegate this responsibility with the CRL Distribution Point extension, but generally the CA retains this responsibility.

Russ

At 01:19 PM 01/26/2000 -0500, Brian Ford wrote:

Ben,

It comes down to your interpretation of suspend versus revoke.  If the
network between a client and the CA goes bad and you cannot reach a CA for
a period of time an argument could be made to "suspend" certs from that CA.
 If the user leaves the employ of a company one would hope that their cert
would be "revoked".  No?

Regards,

Brian

References:
- Re: OCSP and CSL
  - From: Ben Laurie
- OCSP and CSL
  - From: Massimiliano Pala
- Re: OCSP and CSL
  - From: Stephen Kent
- Re: OCSP and CSL
  - From: Massimiliano Pala
- Re: OCSP and CSL
  - From: Brian Ford

Prev by Date: Re: IETF and ISO alignment on Time Stamping
Next by Date: Re: IETF and ISO alignment on Time Stamping
Previous by thread: Re: OCSP and CSL
Next by thread: Re: OCSP and CSL
Index(es):
- Date
- Thread