[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OCSP and CSL

To: ietf-pkix@xxxxxxx
Subject: Re: OCSP and CSL
From: Brian Tvedt <btvedt@xxxxxxxxx>
Date: Fri, 28 Jan 2000 19:28:53 -0500
References: <> <> <> <>

Antonio Lioy wrote:
> 
> Brian Tvedt wrote:
> >
> > If I was that concerned about misuse of my private key, I would password protect
> > it.  This seems much superior to relying on a complicated mechanism (CSL) being
> > correctly implemented in every security application out there.
> 
> My private key IS password-protected, and nonetheless I
> could fear its misuse should I forget it around. This fear
> is even greater in Public Administrations with automatic
> signature servers. Since the law explicitly states that such
> servers sign on behalf of a real person, this guy has a real
> fear to be held responsible for signatures emitted during
> non-working hours. And as these servers typically use a
> crypto board, it is not that easy to disable it (could be
> used for SSL support too).

If you're that worried that one of your coworkers may have stolen your password
and is going to sneak into your office when you're gone and use your smartcard,
I don't think CSL's are going to help you much.  Won't you have to suspend your
certificate every time you go to the bathroom?

> Revoking and issuing new certs is a real trouble, especially
> when a smart-card (Or crypto board) with one-time on-board
> private-key generation is involved.
> 
> Perhaps I have the wrong understanding of the Hold code in a
> RFC-2459 conformant CRL. I could not find a clear definition
> of how is a certificate "temporarily suspended" and yet
> placed in a CRL. In my understanding, a CRL is a
> monotonically non-decreasing list of revoked certificates.
> There is no way to state that a cert is valid again. Issuing
> another cert for the same key is simply not possible in
> certain environments.
> Either a CRL is augmented in meaning to be a list of invalid
> certs within specific timeframes (i.e. invalidity start -
> invalidity end, the latter being infinite for truly revoked
> certs), or a separate concept has to be created: CSL.
> 
> OCSP can then be the vehicle to convey punctual information
> about a cert status, but given teh current legislation in
> several countries, CRLs (and may be CSLs) have to be
> produced and archived for legal use.

I don't know if there's anything in PKIX which says that if the set of revoked
certificates in a CRL must be a superset of every previously-issued (lower
serial number) CRL from the same CA.  In other words, it's legal (I think) for a
certificate listed on a CRL to "disappear" on the next update.  Then there's the
mysterious business of the certificateHold reason code, which is presumably
intended for this sort of thing.

In sum, I'm not sold that suspension of certificates is really necessary, but if
you're convinced that it is, it seems to me it could be done with CRLs as
currently defined.

--
Brian Tvedt
Phaos Technology Corp.

References:
- RE: OCSP and CSL
  - From: Philip Hallam-Baker
- Re: OCSP and CSL
  - From: Antonio Lioy
- Re: OCSP and CSL
  - From: Brian Tvedt
- Re: OCSP and CSL
  - From: Antonio Lioy

Prev by Date: Re: More on OCSP and CSL
Next by Date: RE: OCSP and CSL
Previous by thread: Re: OCSP and CSL
Next by thread: Re: OCSP and CSL
Index(es):
- Date
- Thread