[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Online Certificate Revocation Protocol

To: ietf-pkix@xxxxxxx
Subject: Re: Online Certificate Revocation Protocol
From: Marc Branchaud <marcnarc@xxxxxxxxxxxxxxx>
Date: Mon, 11 Jun 2001 16:36:24 -0700
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: RSA Security
References: <> <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Marc Branchaud wrote:
> 
> So here's a proposal:
> 
> If a key (CA's or otherwise) is destroyed, place the certificate on a CRL
> with a "key destroyed" reason.  This indicates that any certificates issued
> by that key on or after the time of destruction should be considered invalid.
> 
> If, before the key's certificate expires, the key is actually compromised,
> issue a new CRL with a "key compromised" revocation reason.  This fully
> revokes the certificate, with all that implies.

Perhaps the existing cessationOfOperation code could be used as a "key
destroyed" reason.  X.509 states: "cessationOfOperation indicates that the
certificate is no longer needed for the purpose for which it was issued but
there is no cause to suspect that the private key has been compromised." 
That doesn't quite fit, but it might work.

		Marc

References:
- RE: Online Certificate Revocation Protocol
  - From: Tony Bartoletti
- Re: Online Certificate Revocation Protocol
  - From: Marc Branchaud

Prev by Date: RE: Online Certificate Revocation Protocol
Next by Date: RE: Online Certificate Revocation Protocol
Previous by thread: Re: Online Certificate Revocation Protocol
Next by thread: Re: Online Certificate Revocation Protocol
Index(es):
- Date
- Thread