Irene Gassko wrote: > > At 09:46 AM 02/02/2000 +0100, Antonio Lioy wrote: > >Juan Rodriguez-Torrent wrote: > >[snip] > >I'm mildly unsatisfied of the recent discussion over this > >list. It appears that everybody is against certificate > >suspension, given its associated cost. I think that, when > >speaking technically, we should abide from the associated > >costs of operation, because those costs are quite sensitive > >to the perceived needs from the users (otherwise we would > >never define or adopt strong security measures because they > >are surely too expensive :-) > >Moreover, some mails suggest to use CRL with the OnHold > >reason for suspension, and later remove the certificate if > >it is not actually revoked. What??? I have some really bad > >feeling about this solution because my understanding is: > >1. "revoked" means revoked, i.e. the cert is no more valid > >for any use starting from a certain date > > If we look for a real world analogy here, I would expect that it > would be instructive to see how credit card companies handle it. > Most will close your account forever, but when I called AMEX > and asked them to close my account, they told me that within > a year I could reopen it if I changed my mind. Hence this is at > least debatable. > > >2. once a cert is inserted into a CRL, it can *never* be > >deleted from it > > This is not true. Expired certificates are deleted from CRL. I am not sure about this. If you delete it from the list how you can prove it is not valid from the revokation date on ??? The CRLs should provide an 'history' of all revoked certificates... C'you, Massimiliano Pala (madwolf@openca.org)
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature