[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OCSP and CSL

To: <ietf-pkix@xxxxxxx>, "Russ Housley" <housley@xxxxxxxxxx>
Subject: Re: OCSP and CSL
From: "Juan Rodriguez-Torrent" <torrent@xxxxxxx>
Date: Tue, 1 Feb 2000 00:54:57 -0500
References: <>
Reply-to: "Juan Rodriguez-Torrent" <torrent@xxxxxxx>

Russ, I cannot agree more. I'm just trying to figure out if these are real
customer requirements or some folks in a glass house tinkering with
possibilities.

JRT
----- Original Message -----
From: Russ Housley <housley@spyrus.com>
To: <ietf-pkix@imc.org>
Sent: Monday, January 31, 2000 11:22 AM
Subject: RE: OCSP and CSL


>
>  >>>I cannot find my smartcard... I suppose I left it at my friend's
>  >>>house, but I am not sure... So I ask for a suspesion of the service.
>  >>>Then I go to my friend's house and I find my smartcard... so the
>  >>> certificate have never been in danger, I can ask the
>  >>>CA Org not to revoke it and from the suspended state it returns to the
>  >L> lid state.
>  >>
>  >> Revoking certificates and reissue sounds like an excellent solution to
>  >> is problem. The encryption key can be rolled over in the re-issued
card,
>  >> miniting new signing keys is never a problem.
>  >>
>  >> I don't think that the change of the cert status back to
>  >> valid has much hope of being acurately and reliably tracked.
>  >> Re-certificatrion is a slam dunk.
>  >
>  >I don't quite agree. Reissuing a certificate for a smart card will
always be
>  >more of hassle than suspending/unsuspending. Not so much for the CA, but
for
>  >the user who needs to put his card into a reader capable of updating the
>  >certificate on the smart card (assuming that the certificate is stored
>  >together with the keys). Given that suspension/unsuspensions usually are
>  >requested over phone, I don't think people would be happy with this.
>
> I cannot agree.  The use of suspend adds considerable complexity to both
> the infrastructure and the relying parties, regardless of the revocation
> mechanism used (OCSP, CRLs, whatever).  The provision of non-repudiation
is
> also made much more complex.
>
> If a user forgets their smartcard at a friends house, then the
PIN/password
> for that smartcard should prevent misuse.  If the user stored her
> PIN/password with the smartcard, then the certificate should be revoke
> permanently.
>
> Russ
>

Follow-Ups:
- Re: OCSP and CSL
  - From: Antonio Lioy

References:
- RE: OCSP and CSL
  - From: Russ Housley

Prev by Date: Re: OCSP and CSL
Next by Date: Unsubscribe cowens@bbn.com
Previous by thread: RE: OCSP and CSL
Next by thread: Re: OCSP and CSL
Index(es):
- Date
- Thread