[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Current status of CRL validation ?

To: "'Julien Stern'" <julien.stern@xxxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: RE: Current status of CRL validation ?
From: "Ambarish Malpani" <ambarish@xxxxxxxxxxx>
Date: Tue, 23 Mar 2004 08:14:17 -0800
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


Hi Julien,
    Responses inline.

Regards,
Ambarish 

> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx 
> [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On Behalf Of Julien Stern
> Sent: Tuesday, March 23, 2004 6:25 AM
> To: ietf-pkix@xxxxxxx
> Subject: Re: Current status of CRL validation ?
> 
> 
> Santosh,
> 
> thank again for your quick reply.
> 
> Two more little questions, and I'll (probably) stop bothering :)
> 
> 1) According to what you said, a certificate could at the 
> same time be revoked or not revoked depending on your local 
> policy (more specifically depending on the path you choose) ? 
> That seems pretty weird... or did I misunderstood something ?

True. And not necessarily very weird. Certification paths are
like a directed graph.

Each certificate is a link in the graph from the CA to the certificate
holder. A single holder (could be a CA itself) can be certificated by
multiple Cas and can in turn certificate multiple certificate holders.

At a given instant, each CA gets to choose which of the links it
created are currently good (or not).

As a user (relying party), you get to choose which CAs you wish
to trust. You are trying to find a chain between a trusted CA and
the certificate holder that contains links that are currently deemed
good by the CA.

Okay. That was a mathematical description. A more real life example
is: I am trying to find out whether you are trustworthy or not. There
are folks that I trust, who may choose to trust other people. Who a
person trusts at any given time changes (based on their experiences with
that person).

At a given time, there will be some folks who will say that you are
trustworthy, others who will say that you are not and others who will
say that they don't personally know you and can't say anything about
you at all.

Depending on who I trust (the context), you could be both trustworthy
or not at the same time.

> 
> 2) When I download a CRL, can I check it's signature by 
> verifying the path only ONCE ? Or do I have to do it each 
> time I want to check a certificate ? If say, two S/MIME 
> clients, send me two certificates whose revocation 
> information are found in the same CRL, but with different 
> paths going to different trusted anchors, it seems to me that 
> I have to rebuild and recheck the path for the CRL each time ?

You can cache revocation information if you wish to. Once you have
created a path to trust a CA, you can keep that around for "some" time.
So you might not need to revalidate the path each time (depending on
your trust needs).

If two entities are certified by the same CA and both have valid
certificates at a certain instant in time, then both certificates
are valid at that instant if the CA is valid (with the appropriate
caveats to deal with Certificate Policies).


> 
> --
> Julien
>

References:
- Re: Current status of CRL validation ?
  - From: Julien Stern

Prev by Date: RE: Current status of CRL validation ?
Next by Date: RE: Current status of CRL validation ?
Previous by thread: RE: Current status of CRL validation ?
Next by thread: RE: Current status of CRL validation ?
Index(es):
- Date
- Thread