Massimiliano Pala wrote: > > Hi Antonio Lioy, > > good in reading you again. Hi Max :-) > > - a long term memory that a cert was suspended during a > > certain period of time; this should be provided by a CSL, > > which closely resembles the format (but not the meaning) of > > a CRL > > Here I do have to point out this: I think it is not required > to keep track of the suspension time of a certificate if it > has not been revoked, if you have doubt about possible misusages > of it, then it should be revoked, otherwise it has never been > in 'danger' and it should be trusted so we don't have to keep > track for suspension time. > > To clarify: > > o CSL should keep track of suspension periods for > (afterwards) revoked certificates; > > o CSL should not keep track of suspension periods > for not (afterwards) revoked certificates; This is another view: the CSL is being used as a waiting list for possibly revoked certs. If it is later revoked, then you'll put it in the CRL, otherwise you'll remove it from the CSL. But I disagree with this view: if I temporarily lost control of my smart-card, I can never know what has happened during that period of time. May be two years later someone claims money from me, based on a digital signature produced during that exact period of time. If you removed the entry from the CSL, you'll not be able to prove that it was not you that signed that document. Do you agree? Antonio Lioy
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature