[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SCVP 16 comments deadline

To: "Denis Pinkas" <Denis.Pinkas@xxxxxxxx>
Subject: RE: SCVP 16 comments deadline
From: "Trevor Freeman" <trevorf@xxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 8 Dec 2004 10:42:02 -0800
Cc: <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AcTdSOa1ahQnk6E8SKqa+x38ok0UfQADAXfw
Thread-topic: SCVP 16 comments deadline

Denis,
I know of several systems who's policy is never to revoke the identity
certificate because they have other mechanisms to address the issue.
They are using authorization bound to the identity and they either rely
on  short lived authorization assertions or revoke the authorization
privilege assonated with the identity. Therefore in those cases not
checking the revocation status of the certificate makes perfect sense.
Trevor

* -----Original Message-----
* From: owner-ietf-pkix@xxxxxxxxxxxx
[mailto:owner-ietf-pkix@xxxxxxxxxxxx]
* On Behalf Of Denis Pinkas
* Sent: Wednesday, December 08, 2004 8:01 AM
* To: Trevor Freeman
* Cc: ietf-pkix@xxxxxxx
* Subject: Re: SCVP 16 comments deadline
* 
* 
* Trevor,
* 
* > Hi Denis,
* > Below are responses to 1-16. Others will follow later.
* 
* I am pleased that you accepted comments 13, 14, 15 and 16.
* Among this list, I have a further remark on comment 4.
* 
* > * 4. Page 13. Typo. Section 3.1.2 "checks"
* > * The two following lines are in fact one line:
* > *
* > * Change:
* > *
* > *      - Build a validated certification path to a trust anchor; and
* > *
* > *      - Do revocation status checks on the certification path.
* > *
* > * into:
* > *
* > *      - Build a validated certification path to a trust anchor and
* > *        do revocation status checks on the certification path.
* > *
* > [TF] Since this paragraph is listing the possible checks and
building a
* > path is a separate check to revocation checking, I think the current
* > text is more accurate.
* 
* I agree that "building a path is a separate check to revocation
checking",
* but revocation checking without building a validated path does not
make
* sense.
* 
* The full text currently is:
* 
*      - Build a certification path to a trust anchor;
* 
*      - Build a validated certification path to a trust anchor; and
* 
*      - Do revocation status checks on the certification path.
* 
* The full text should be:
* 
*      - Build a certification path to a trust anchor;
* 
*      - Build a validated certification path to a trust anchor; and
*        do revocation status checks on the certification path.
* 
* Denis

Prev by Date: Re: SCVP 16 comments deadline
Next by Date: RE: SCVP 16 comments deadline
Previous by thread: RE: SCVP 16 comments deadline
Next by thread: RE: SCVP 16 comments deadline
Index(es):
- Date
- Thread