[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: OCSP and CSL

To: "'Joerg Seidel'" <seidel@xxxxxxxxxxxx>, Massimiliano Pala <madwolf@xxxxxxxxxxxxxxxx>
Subject: RE: OCSP and CSL
From: Ambarish Malpani <ambarish@xxxxxxxxxxxx>
Date: Sat, 5 Feb 2000 11:48:03 -0800
Cc: ietf-pkix@xxxxxxx

Hi Joerg,
    No, this isn't a security flaw - PKIX requires a revoked
cert to appear in at least 1 CRL before it is dropped of the
CRL list because of expiry - somebody already thought of
this one!

Regards,
Ambarish

> -----Original Message-----
> From: Joerg Seidel [mailto:seidel@timeproof.de]
> Sent: Thursday, February 03, 2000 5:12 AM
> To: Massimiliano Pala
> Cc: ietf-pkix@imc.org
> Subject: Re: OCSP and CSL
> 
> 
> Massimiliano Pala schrieb:
> > 
> > Irene Gassko wrote:
> > >
> > > >2. once a cert is inserted into a CRL, it can *never* be
> > > >deleted from it
> > >
> > > This is not true. Expired certificates are deleted from CRL.
> > 
> > I am not sure about this. If you delete it from the list how you can
> > prove it is not valid from the revokation date on ??? The 
> CRLs should
> > provide an 'history' of all revoked certificates...
> 
> In order to prove the invalidity of a certain signature you 
> need the CRL of
> the point of time the signature was made. Well, more 
> precisely the CRL which
> was released next after the signature was made. If you want 
> to be able to
> prove the validity of a signature after the expiration date of the
> corresponding certificate you need to store this CRL together with the
> signature. Well and you need to prove the validity of the
> CRL-Signing-Certificate at that time, so you need ... and so 
> on until you are
> got a CRL signed with a private key corresponding to a non-expired and
> non-revoked certificate.
> 
> I just realized: Maybe there is a small security flaw in this 
> system: If a
> certificate gets revoked just before certificate expiration, 
> but the next CRL
> is released after the expiration time, the revocation might 
> not been stated in
> CRLs at all. The state of the signature is unknown.
> 
> Jörg Seidel
> -- 
> timeproof                               phone  +49-40-76629-1911
> Development                             fax    +49-40-76629-551
> Harburger Schloßstraße 6-12             mailto:seidel@timeproof.de
> D-21079 Hamburg                         http://www.timeproof.de
> 
>      + + + timeproof CeBIT 2000 Hall 23 Stand A22/14 + + +
>

Prev by Date: Re: LAST CALL:draft-ietf-pkix-time-stamp-05.txt
Next by Date: RE: OCSP and CSL
Previous by thread: Re: OCSP and CSL
Next by thread: RE: OCSP and CSL
Index(es):
- Date
- Thread