[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Online Certificate Revocation Protocol

To: Marc Branchaud <marcnarc@xxxxxxxxxxxxxxx>, ietf-pkix@xxxxxxx
Subject: RE: Online Certificate Revocation Protocol
From: Santosh Chokhani <chokhani@xxxxxxxxxxxx>
Date: Sat, 9 Jun 2001 09:31:58 -0400
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Title: RE: Online Certificate Revocation Protocol

You could revoke, but there is no compelling security reason just because the key is destroyed regardless of the sensitivity of the subject component or the application.

Now, if some other foul play is suspected as part of the destruction event, that is another matter.

-----Original Message-----
From: Marc Branchaud [mailto:marcnarc@xxxxxxxxxxxxxxx]
Sent: Friday, June 08, 2001 8:30 PM
To: ietf-pkix@xxxxxxx
Subject: Re: Online Certificate Revocation Protocol

Santosh Chokhani wrote:
>
> Destroying a private key used to generate signature may cause some
> operational grief in terms of getting a new key certified, but there is no
> need for that key any more and hence no revocation is needed.
>

Except that "destruction" is not necessarily irrecoverable. I would always
revoke, as a general rule, especially for highly sensitive (e.g. CA) keys.

Marc

Follow-Ups:
- Re: Online Certificate Revocation Protocol
  - From: Marc Branchaud

Prev by Date: RE: Online Certificate Revocation Protocol
Next by Date: Re: Online Certificate Revocation Protocol
Previous by thread: Re: Online Certificate Revocation Protocol
Next by thread: Re: Online Certificate Revocation Protocol
Index(es):
- Date
- Thread