[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

More on OCSP and CSL

To: Antonio Lioy <lioy@xxxxxxxxx>
Subject: More on OCSP and CSL
From: Massimiliano Pala <madwolf@xxxxxxxxxxxxxxxx>
Date: Fri, 28 Jan 2000 02:01:11 +0100
Cc: ietf-pkix@xxxxxxx
Organization: Comune di Modena
References: <> <>
Sender: madwolf@xxxxxxxxxxxxxxxxxxxxxxxxx

Hi Antonio Lioy,

good in reading you again. You wrote:

> I think that CSL is a real need in several cases and that it
> cannot be easily substituted with CRL or OCSP.

I had different comments on this, some share our opininon, others
have expressed perplexity in defining a new acronymous and/or
definition... :-(

[...]
> So I'd like to see this scenario supported by the following
> technical details:
> - a status code returned by an OCSP server to tell that a
> cert is SUSPENDED

Most of the people reported that the OCSP can be used in conjunction
with extentions to state the certificateHold revokation reason (this
is the widely suggested option we actually have for the OCSP
responder ... ). The same (by absurd) could apply to CRLs: CRLs can
be replaced by an OCSP responder, isn't it ??? But would you abandon
the CRL mechanism??? No ??? Why ??? Probably what you would respond
to this question is very similar to what I would about CSL ...

> - a long term memory that a cert was suspended during a
> certain period of time; this should be provided by a CSL,
> which closely resembles the format (but not the meaning) of
> a CRL

Here I do have to point out this: I think it is not required
to keep track of the suspension time of a certificate if it
has not been revoked, if you have doubt about possible misusages
of it, then it should be revoked, otherwise it has never been
in 'danger' and it should be trusted so we don't have to keep
track for suspension time.

To clarify:

	o CSL should keep track of suspension periods for
	  (afterwards) revoked certificates;

	o CSL should not keep track of suspension periods
	  for not (afterwards) revoked certificates;

This should be adopted not to have CSLs too long and carring
not useful data (why keeping track of supension periods if
you, moving again to the valid state the certificate, say it
was never in danger and you trust it.... ).

This is only my vision on CSL :-D More comments on this ???

C'you,

	Massimiliano Pala (madwolf@openca.org)

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- Re: More on OCSP and CSL
  - From: Antonio Lioy

References:
- RE: OCSP and CSL
  - From: Philip Hallam-Baker
- Re: OCSP and CSL
  - From: Antonio Lioy

Prev by Date: Re: IETF and ISO alignment on Time Stamping
Next by Date: RE: OCSP and CSL
Previous by thread: Re: OCSP and CSL
Next by thread: Re: More on OCSP and CSL
Index(es):
- Date
- Thread