[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: German Law and OCSP

To: ietf-pkix@xxxxxxx
Subject: Re: German Law and OCSP
From: Paul Koning <pkoning@xxxxxxxxx>
Date: Thu, 24 Feb 2000 09:30:23 -0500
References: <>

>>>>> "Stefan" == Stefan Kelm <kelm@pca.dfn.de> writes:

 Stefan> Denis,
 >> > Once such a division is made technically, it was extended to the
 >> idea > that a certificate should only be valid once it is inserted
 >> in the > information service database.
 >> 
 >> I do not understand. To be "valid" a certificate does not (even)
 >> have to be published. It may be given back to the user who may
 >> decide to send it to whatever entity he wishes.

 Stefan> you're certainly right. However, the German Digital Signature
 Stefan> Act states: [from http://www.iid.de/rahmen/iukdgebt.html#a3]

 Stefan> § 5: Issue of Certificates

 Stefan> (1) The certification authority shall reliably establish the
 Stefan> identity of persons applying for a certificate. It shall
 Stefan> confirm the assignment of a public signature key to an
 Stefan> identified person by a signature key certificate which,
 Stefan> together with any attribute certificates, shall be kept
 Stefan> available for verification and, with the consent of the owner
 Stefan> of the signature key, for retrieval at all times and for
 Stefan> everyone over publicly available telecommunication links.

 Stefan> The magic statement here is "...shall be kept available for
 Stefan> verification...  at all times...". Therefore, a certificate
 Stefan> implicitly is valid once it is made available (from the CA's
 Stefan> repository) for verification. Like it or not (I don't) -
 Stefan> that's the way the validity model was chosen to be. E.g.,
 Stefan> I've been issued one of the very few certificates issued
 Stefan> according to the law but since it has not been published yet
 Stefan> it is not valid in the sense of the law...

I think that may be a matter of interpretation.  The english
translation is ambiguous as to whether "at all times and for everyone" 
applies to retrieval only, or also to verification.  The original
makes it clear the latter is correct.

One way of reading that is "any person should be able to verify the
validity of the certificate; if any communication channels are needed
for this, public one should suffice".  The standard algorithm of
checking the CA signature and the CRL is an example of such a process, 
assuming that the current CRL is available over public communications
channels.  

	paul

References:
- Re: German Law and OCSP
  - From: Stefan Kelm

Prev by Date: Re: German Law and OCSP
Next by Date: Re: Straw Poll: SerialNumber definition
Previous by thread: Re: German Law and OCSP
Next by thread: Re: German Law and OCSP
Index(es):
- Date
- Thread