[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: German Law and OCSP
Denis,
> > Once such a division is made technically, it was extended to the idea
> > that a certificate should only be valid once it is inserted in the
> > information service database.
>
> I do not understand. To be "valid" a certificate does not (even)
> have to be published. It may be given back to the user who may
> decide to send it to whatever entity he wishes.
you're certainly right. However, the German Digital Signature Act states:
[from http://www.iid.de/rahmen/iukdgebt.html#a3]
§ 5: Issue of Certificates
(1) The certification authority shall reliably establish the identity of persons applying for a
certificate. It shall confirm the assignment of a public signature key to an identified person
by a signature key certificate which, together with any attribute certificates, shall be kept
available for verification and, with the consent of the owner of the signature key, for
retrieval at all times and for everyone over publicly available telecommunication links.
The magic statement here is "...shall be kept available for verification...
at all times...". Therefore, a certificate implicitly is valid once it is
made available (from the CA's repository) for verification. Like it or
not (I don't) - that's the way the validity model was chosen to be. E.g., I've
been issued one of the very few certificates issued according to the law
but since it has not been published yet it is not valid in the sense
of the law...
The law currently is under evaluation and will be revised later this
year. It's highly unlikely that they're going to change this validity
model, though.
Cheers,
Stefan.
______________________________________________________________________________
Stefan Kelm PGP key: "finger kelm@www.pca.dfn.de" or via key server
DFN-PCA <kelm@pca.dfn.de>
Vogt-Koelln-Str. 30 http://www.pca.dfn.de/~kelm/
22527 Hamburg (Germany) Tel: +49 40 428 83-2262 / Fax: -2241