[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: German Law and OCSP
Hi Paul,
Just one correction - OCSP can tell you of the historical
status of a cert - there is an ArchiveCutoff mechanism. If your
cert expired after ArchiveCutoff, then the status is as indicated
in the response.
Regards,
Ambarish
P.S. I, too, would appreciate pointers to English versions of both
the German and Italian Digital Signature laws.
---------------------------------------------------------------------
Ambarish Malpani
Architect 650.567.5457
ValiCert, Inc. ambarish@valicert.com
1215 Terra Bella Ave. http://www.valicert.com
Mountain View, CA 94043-1833
> -----Original Message-----
> From: Paul Halliden [mailto:PHalliden@baltimore.com]
> Sent: Thursday, February 24, 2000 8:53 AM
> To: 'Hesse, Johan'; Denis.Pinkas@bull.net; lioy@polito.it;
> aberger@darmstadt.gmd.de
> Cc: ietf-pkix@imc.org
> Subject: RE: German Law and OCSP
>
>
> > It seems that there are a lot of confusions regarding some terms
> > in the German Law.
> Agreed ;)
>
> [snip]
>
> > I think the confusion springs from legal terms. In the above
> > mentioned example the technical term of *valid* for a certificate
> > would be the moment of the signing with the signing key.
> Technically a certificate is valid from the date and time
> contained in the
> ASN.1 element "notBefore" in the "Validity" sequence of the
> X.509 structure.
> This may or may not be the time of signing by the CA.
> Indeed, it may be
> delayed with respect to time of signing to cope with the scenario you
> describe in your later mail. This is the same as the process
> known as "Thro
> dating" used by credit card companies to protect against the risks you
> mention.
>
> > The legal term assumes the publishing of the certificate.
> >
> > Another misunderstanding seems to be the role of the CRL in
> German Law.
> > Antonio Lioy wrote (28.01.2000) "... the only legally binding way
> > to prove that a cert was not valid at a certain date is to provide
> > a CRL (or a CSL!!!) that includes it." The German Law requires
> > only the *checkability* of the status of a certificate for anybody
> > to any time (§4 SigG).
> This is §5(1) in my (English) copy dated 1 August 1997. Is
> there a later
> version? More importantly, it was explained to me that the
> German model
> needed to know if a certificate was valid at the time that
> the corresponding
> signature key was originally used and not at the time the request for
> validation is performed. This is because one might be
> checking a legal
> document that is tens of years old. Is that what you mean by
> "to any time"?
>
> > The interoperability schemes (SigI A5) propose OCSP.
> As I understand it, OCSP is designed to tell you status now
> not status at
> some previous date. If so, is this another issue with German
> Law and OCSP?
>
> > The status *suspension* isn't allowed according to the German Law,
> > in comparison with Italian law which requires a CRL (Art. 29 par. 3)
> > and the possibility of suspension (Art. 33).
> Do you have a reasonable English translation of the Italian
> law - or a link
> to a translation?
>