>I cannot find my smartcard... I suppose I left it at my friend's house, but I am not >sure... So I ask for a suspesion of the service. Then I go to my friend's house and >I find my smartcard... so the certificate have never been in danger, I can ask the >CA Org not to revoke it and from the suspended state it returns to the Valid state. That is a requirement. Just because there is a technology that is intended to meet a requirement is no guarantee that it is a good idea to use that technology. Revoking certificates and reissue sounds like an excellent solution to this problem. The encryption key can be rolled over in the re-issued card, miniting new signing keys is never a problem. I don't think that the change of the cert status back to valid has much hope of being acurately and reliably tracked. Re-certificatrion is a slam dunk. If there is a trully dynamic data source (such as when there is authorization info embedded in or associated with the cert) then a dynamic data protocol such as OCSP is appropriate. Trying to make static data structures such as CRLs and Certs provide a dynaic data service is like trying to speed up a tortoise by strapping on an outboard motor. Phill
Attachment:
smime.p7s
Description: application/pkcs7-signature