[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Online Certificate Revocation Protocol

To: ietf-pkix@xxxxxxx, madwolf@xxxxxxxxxx
Subject: Re: Online Certificate Revocation Protocol
From: pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)
Date: Thu, 14 Jun 2001 11:13:07 (NZST)
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Reply-to: pgut001@xxxxxxxxxxxxxxxxx
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Massimiliano Pala <madwolf@xxxxxxxxxxxxxxx> writes:
>Peter Gutmann wrote:
>>There's another revocation status which needs a way of indicating it which is
>>somewhat trickier, I'll bring it up here in case anyone has any ideas:
>>Sometimes a cert can be issued in error, what's needed here is a revocation
>>reason which says that not only is the cert revoked, it should never be and
>>was never valid at any time for any reason.  You can sort of achieve this by
>
>In this case, when will br the entry removed from the CRL ? When the 
>certificate will be expired ?? Or should it be left in all future CRLs ?

Well, CMP leaves pretty much everything to CA policy so it's up to the 
individual CA.  I leave it in the CRL until the cert expires anyway, but 
that's just me (I'm also currently overloading the "undefined" reason code in 
the hope that, since you're not supposed to use it, it's a spare code which 
can be used to mean "never valid", but it really needs its own reason code to 
indicate the true status).

Peter.

Follow-Ups:
- RE: Online Certificate Revocation Protocol
  - From: Liaquat Khan

Prev by Date: RE: Online Certificate Revocation Protocol
Next by Date: Re: X.509 Extensions Enhancements
Previous by thread: RE: Online Certificate Revocation Protocol
Next by thread: RE: Online Certificate Revocation Protocol
Index(es):
- Date
- Thread