Hello out there!
It seems that there are a lot of confusions regarding some terms in the German Law.
As considered there are two distinct entities. One for issuing certificates and one for revoking certificates. The revocation is maintained by the directory service (DIR, Andreas Berger described it with "information service"). In the moment the issuing entity signs a certificate you may be attempted to say its valid, but in the sense of German Law a valid certificate has to be published. Published in this coherence means that the certificate is either *checkable* (you can only get status information) or *retrievable* (you can get status information and the whole certificate). Both status have to be maintained by the DIR.
I think the confusion springs from legal terms. In the above mentioned example the technical term of *valid* for a certificate would be the moment of the signing with the signing key. The legal term assumes the publishing of the certificate.
Another misunderstanding seems to be the role of the CRL in German Law.
Antonio Lioy wrote (28.01.2000) "... the only legally binding way to prove that a cert was not valid at a certain date is to provide a CRL (or a CSL!!!) that includes it." The German Law requires only the *checkability* of the status of a certificate for anybody to any time (§4 SigG). The interoperability schemes (SigI A5) propose OCSP. The status *suspension* isn't allowed according to the German Law, in comparision with Italian law which requires a CRL (Art. 29 par. 3) and the possibility of suspension (Art. 33).
Best regards,
Johan Hesse
**************************************
Johan Hesse
secunet
Security Networks AG
Osterbekstraße 90b
22083 Hamburg
Tel : +49 (0)40/696599-12
Fax : +49 (0)40/696599-29
mailto:j.hesse@secunet.de
**************************************