[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Online Certificate Revocation Protocol

At 11:01 AM 6/8/01 +0200, Massimiliano Pala wrote:
Carlin Covey wrote:

> But none of these allow a certificate to be revoked. I gather that
> you are interested in a protocol for requesting revocation of certificates.
> Check out CMP, available at
> http://www.ietf.org/internet-drafts/draft-ietf-pkix-rfc2510bis-04.txt

This could be the case, anyway I was thinking of something more "robust"
and a little bit complex -- as request/response contents -- to prevent
unauthorized revoking requesting to prevent as much as possible DoS but
allowing for a simple revocation method. This could help environments where
legal issues are also covered -- govenment PKIs, Municipalities PKIs,
etc...

This is exactly what CMP specifies. Many vendors already have support for CMP EE initiated certificate revocation. The interoperability of different implementations of CMP certificate revocation (among other things) has been conducted during PKI Forum and ICSA CMP interop testing quite successfully.

Nada


The model I've been thinking of is mostly based on a structure very similar
to the model proposed in OCSP. The choosen transport mechanism could be
HTTP -- this could help browsers in adding the functionality and CSP to
implement the service.

--

C'you,

Massimiliano Pala

--o-------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager]                madwolf@xxxxxxxxxx
                                                     madwolf@xxxxxxxxxxxxxxx
http://www.openca.org                            Tel.:   +39 (0)59  270  094
http://openca.sourceforge.net                    Mobile: +39 (0)347 7222 365

______________________________________________________________

Nada Kapidzic Cicovic, Ph.D.
Technical Director,   Entegrity Solutions
office: + 46 8 477 77 37,   cell: + 46 70 495 09 03,    fax: + 46 8 477 77 31