[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Algorithm revocation

To: tgindin@xxxxxxxxxx, ietf-pkix@xxxxxxx
Subject: Re: Algorithm revocation
From: Sönke Maseberg <maseberg@xxxxxxxxxxxxxxxx>
Date: Wed, 21 Feb 2001 11:02:14 +0100

Tom,

I would like to quote 'PKIX Roadmap - March 10, 2000'
[<draft-ietf-pkix-roadmap-05.txt>] part 3.5.6.4 Revocation

 When a PKC is issued, it is expected to be in use for its entire
 validity period. However, various circumstances may cause a PKC to
 become invalid prior to the expiration of the validity period. Such
 circumstances include change of name, change of association between
 subject and CA (e.g., an employee terminates employment with an
 organization), and compromise or suspected compromise of the
 corresponding private key. Under such circumstances, the CA needs to
 revoke the PKC.

Under the assumption that a signature algorithm is compromised suddenly,
the CA have to revoke all of the certificates that use this algorithm.
And if the CA has a lot of CHs the CRL would be very large and not
practically to handle. So IMO 'revokeAlgorithms' would be a possibility
to revoke implicitly all shocked certificates.


The basic rule behind a pyramided set of timestamps is good if not the
same signature algorithm for all signatures is used. Otherwise if the
signature algorithm is compromised at time you cannot proof the time of
creation of a signature.


Sönke

Prev by Date: Re: Algorithm revocation
Next by Date: RE: multiple digitale signatures
Previous by thread: Re: Algorithm revocation
Next by thread: RE: Algorithm revocation
Index(es):
- Date
- Thread