[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OCSP and CSL

To: "Ben Laurie" <ben@xxxxxxxxxxxxx>, "Brian Ford" <brford@xxxxxxxxx>
Subject: Re: OCSP and CSL
From: "Juan Rodriguez-Torrent" <torrent@xxxxxxx>
Date: Tue, 1 Feb 2000 00:01:07 -0500
Cc: "Massimiliano Pala" <madwolf@xxxxxxxxxxxxxxxx>, "Stephen Kent" <kent@xxxxxxx>, <ietf-pkix@xxxxxxx>
References: <><><> <>
Reply-to: "Juan Rodriguez-Torrent" <torrent@xxxxxxx>

In this case I interpret your "suspend" as the relying party will stop
accepting certs until the he/she can verify the certs for that specific CA.
This is far from Massimo's inquiry.
----- Original Message -----
From: Brian Ford <brford@cisco.com>
To: Ben Laurie <ben@algroup.co.uk>
Cc: Massimiliano Pala <madwolf@comune.modena.it>; Stephen Kent
<kent@bbn.com>; <ietf-pkix@imc.org>
Sent: Wednesday, January 26, 2000 1:19 PM
Subject: Re: OCSP and CSL


> Ben,
>
> It comes down to your interpretation of suspend versus revoke.  If the
> network between a client and the CA goes bad and you cannot reach a CA for
> a period of time an argument could be made to "suspend" certs from that
CA.
>  If the user leaves the employ of a company one would hope that their cert
> would be "revoked".  No?
>
> Regards,
>
> Brian
>
> At 05:27 PM 01/26/00, Ben Laurie wrote:
> >Massimiliano Pala wrote:
> >>
> >> Stephen Kent wrote:
> >> >
> >> > Massimiliano,
> >> >
> >> > Would not a CRL DP that holds only suspended certs achieve the effect
> >> > you attribute to a CSL?
> >> >
> >> > Steve
> >>
> >> Yes, I think this is what we definetly need. What I was wondering is if
> >available
> >> software can disitinguish CSLs from CRLs ... As far as I know, actually
> >Netscape
> >> does not support CRLs with extentions. Am I wrong ???
> >>
> >> Do you know of some software supporting extentions in CRLs (widely
> >available) ???
> >>
> >> To issue a CRL, you'd need the CA certificate/key, but in environment
> >where you
> >> have (for security reasons) a network-less CA how to accomplish this
???
> >Can you
> >> sign CRLs with a certificate that is not the CA Cert ???
> >
> >Since a suspended certificate is as unusable as a revoked one, it makes
> >no sense to me to permit _any_ differences between the creation of a
> >suspension and the creation of a revocation. Which means that there's
> >little point in supporting suspension at all.
> >
> >Cheers,
> >
> >Ben.
> >
> >--
> >SECURE HOSTING AT THE BUNKER! http://www.thebunker.net/hosting.htm
> >
> >http://www.apache-ssl.org/ben.html
> >
> >Y19100 no-prize winner!
> >http://www.ntk.net/index.cgi?back=2000/now0121.txt
> >
>
>
> Brian Ford
> Consulting Engineer, CCIE #2106
> Cisco Systems Inc.
>
>

References:
- OCSP and CSL
  - From: Massimiliano Pala
- Re: OCSP and CSL
  - From: Stephen Kent
- Re: OCSP and CSL
  - From: Massimiliano Pala
- Re: OCSP and CSL
  - From: Brian Ford

Prev by Date: RE: IETF and ISO alignment on Time Stamping
Next by Date: Re: OCSP and CSL
Previous by thread: Re: OCSP and CSL
Next by thread: Re: OCSP and CSL
Index(es):
- Date
- Thread