[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Online Certificate Revocation Protocol

To: liaquat.khan@xxxxxxxxxxxxxxxxx
Subject: Re: Online Certificate Revocation Protocol
From: Denis Pinkas <Denis.Pinkas@xxxxxxxx>
Date: Mon, 18 Jun 2001 10:58:34 +0200
Cc: ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Integris. A Bull Company
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Liaquat,

> I agree a new reason code of ("never valid") has uses.  This will allow a
> relying party when verifying a digital signatures using a certificate, which
> when performing revocation checking is found to be on a CRL with the a new
> reason code ("never valid"), to detect that the digital signature should not
> be trusted even if the digital signature was produced before the time of the
> revocation of the certificate.   Otherwise in theory signature produced
> before the revocation will continue to be considered valid - not a good
> situation for the relying party or for the CA.

This is the reverse situation. If a signature was tested to be valid e.g. in
June 2000 and the certificate was revoked for any reason e.g. in May 2001,
then the signature tested good in June 2000, shall continue to be valid,
otherwise it would not be a good situation for relying parties.

Denis 

> However, I cannot see the need to keep such a certificate on a CRL even
> after it has expired...what does this achieve?
> 
> Regards,
> Liaquat
> 
> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx]On
> Behalf Of Peter Gutmann
> Sent: 14 June 2001 11:13
> To: ietf-pkix@xxxxxxx; madwolf@xxxxxxxxxx
> Subject: Re: Online Certificate Revocation Protocol
> 
> Massimiliano Pala <madwolf@xxxxxxxxxxxxxxx> writes:
> >Peter Gutmann wrote:
> >>There's another revocation status which needs a way of indicating it which
> is
> >>somewhat trickier, I'll bring it up here in case anyone has any ideas:
> >>Sometimes a cert can be issued in error, what's needed here is a
> revocation
> >>reason which says that not only is the cert revoked, it should never be
> and
> >>was never valid at any time for any reason.  You can sort of achieve this
> by
> >
> >In this case, when will br the entry removed from the CRL ? When the
> >certificate will be expired ?? Or should it be left in all future CRLs ?
> 
> Well, CMP leaves pretty much everything to CA policy so it's up to the
> individual CA.  I leave it in the CRL until the cert expires anyway, but
> that's just me (I'm also currently overloading the "undefined" reason code
> in
> the hope that, since you're not supposed to use it, it's a spare code which
> can be used to mean "never valid", but it really needs its own reason code
> to
> indicate the true status).
> 
> Peter.

Follow-Ups:
- RE: Online Certificate Revocation Protocol
  - From: Liaquat Khan

References:
- RE: Online Certificate Revocation Protocol
  - From: Liaquat Khan

Prev by Date: RE: Online Certificate Revocation Protocol
Next by Date: Re: Online Certificate Revocation Protocol
Previous by thread: RE: Online Certificate Revocation Protocol
Next by thread: RE: Online Certificate Revocation Protocol
Index(es):
- Date
- Thread