[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Online Certificate Revocation Protocol

To: <ietf-pkix@xxxxxxxxxxxx>
Subject: Re: Online Certificate Revocation Protocol
From: "Nick Pope" <pope@xxxxxxxxxxx>
Date: Mon, 18 Jun 2001 17:33:31 +0100
Importance: Normal
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Re-sending due to e-mail address problems:

>I agree with Denis.  The use of a "never valid" reason code needs to be
vary
>carefully considered before be included since it provides an easy means of
a
>signatory repudiating all his signatures.
>
>Nick Pope
>
>-----Original Message-----
>From: owner-ietf-pkix@xxxxxxxxxxxx
>[mailto:owner-ietf-pkix@xxxxxxxxxxxx]On Behalf Of Denis Pinkas
>Sent: 18 June 2001 09:59
>To: liaquat.khan@xxxxxxxxxxxxxxxxx
>Cc: ietf-pkix@xxxxxxx
>Subject: Re: Online Certificate Revocation Protocol
>
>
>
>Liaquat,
>
>>  I agree a new reason code of ("never valid") has uses.  This will allow
a
>>  relying party when verifying a digital signatures using a certificate,
>which
>>  when performing revocation checking is found to be on a CRL with the a
new
>>  reason code ("never valid"), to detect that the digital signature should
>not
>>  be trusted even if the digital signature was produced before the time of
>the
>>  revocation of the certificate.   Otherwise in theory signature produced
>>  before the revocation will continue to be considered valid - not a good
>>  situation for the relying party or for the CA.
>
>This is the reverse situation. If a signature was tested to be valid e.g.
in
>June 2000 and the certificate was revoked for any reason e.g. in May 2001,
>then the signature tested good in June 2000, shall continue to be valid,
>otherwise it would not be a good situation for relying parties.
>
>Denis
>
>>  However, I cannot see the need to keep such a certificate on a CRL even
>>  after it has expired...what does this achieve?
>>
>>  Regards,
>>  Liaquat
>>
>>  -----Original Message-----
>>  From: owner-ietf-pkix@xxxxxxxxxxxx
[mailto:owner-ietf-pkix@xxxxxxxxxxxx]On
>>  Behalf Of Peter Gutmann
>>  Sent: 14 June 2001 11:13
>>  To: ietf-pkix@xxxxxxx; madwolf@xxxxxxxxxx
>>  Subject: Re: Online Certificate Revocation Protocol
>>
>>  Massimiliano Pala <madwolf@xxxxxxxxxxxxxxx> writes:
>>  >Peter Gutmann wrote:
>>  >>There's another revocation status which needs a way of indicating it
>which
>>  is
>>  >>somewhat trickier, I'll bring it up here in case anyone has any ideas:
>>  >>Sometimes a cert can be issued in error, what's needed here is a
>>  revocation
>>  >>reason which says that not only is the cert revoked, it should never
be
>>  and
>>  >>was never valid at any time for any reason.  You can sort of achieve
>this
>>  by
>>  >
>>  >In this case, when will br the entry removed from the CRL ? When the
>>  >certificate will be expired ?? Or should it be left in all future CRLs
?
>>
>>  Well, CMP leaves pretty much everything to CA policy so it's up to the
>>  individual CA.  I leave it in the CRL until the cert expires anyway, but
>>  that's just me (I'm also currently overloading the "undefined" reason
code
>  > in
>>  the hope that, since you're not supposed to use it, it's a spare code
>which
>>  can be used to mean "never valid", but it really needs its own reason
code
>>  to
>>  indicate the true status).
>>
>>  Peter.


--Paul Hoffman, Director
--Internet Mail Consortium

Prev by Date: RE: delta CRLs - NR assumptions
Next by Date: Re: delta CRLs - NR assumptions
Previous by thread: Re: Online Certificate Revocation Protocol
Next by thread: draft-ietf-pkix-ac509prof-09.txt is coming...
Index(es):
- Date
- Thread