[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SCVP 16 comments deadline

To: "Trevor Freeman" <trevorf@xxxxxxxxxxxxxxxxxxxxxx>
Subject: RE: SCVP 16 comments deadline
From: "Seth Hitchings" <shitchings@xxxxxxxxxxxxxx>
Date: Wed, 8 Dec 2004 14:33:57 -0500
Cc: <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AcTdSOa1ahQnk6E8SKqa+x38ok0UfQADAXfwAAHZG+A=
Thread-topic: SCVP 16 comments deadline

Trevor,

For clarification, I assume that doing revocation status checks on a path implies building
a validated path?

If I am correct, in what case would a client ever send more than one check?

Seth

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On Behalf Of
Trevor Freeman
Sent: Wednesday, December 08, 2004 1:42 PM
To: Denis Pinkas
Cc: ietf-pkix@xxxxxxx
Subject: RE: SCVP 16 comments deadline


Denis,
I know of several systems who's policy is never to revoke the identity certificate because
they have other mechanisms to address the issue.
They are using authorization bound to the identity and they either rely on  short lived
authorization assertions or revoke the authorization privilege assonated with the
identity. Therefore in those cases not checking the revocation status of the certificate
makes perfect sense.
Trevor

* -----Original Message-----
* From: owner-ietf-pkix@xxxxxxxxxxxx
[mailto:owner-ietf-pkix@xxxxxxxxxxxx]
* On Behalf Of Denis Pinkas
* Sent: Wednesday, December 08, 2004 8:01 AM
* To: Trevor Freeman
* Cc: ietf-pkix@xxxxxxx
* Subject: Re: SCVP 16 comments deadline
*
*
* Trevor,
*
* > Hi Denis,
* > Below are responses to 1-16. Others will follow later.
*
* I am pleased that you accepted comments 13, 14, 15 and 16.
* Among this list, I have a further remark on comment 4.
*
* > * 4. Page 13. Typo. Section 3.1.2 "checks"
* > * The two following lines are in fact one line:
* > *
* > * Change:
* > *
* > *      - Build a validated certification path to a trust anchor; and
* > *
* > *      - Do revocation status checks on the certification path.
* > *
* > * into:
* > *
* > *      - Build a validated certification path to a trust anchor and
* > *        do revocation status checks on the certification path.
* > *
* > [TF] Since this paragraph is listing the possible checks and building a
* > path is a separate check to revocation checking, I think the current
* > text is more accurate.
*
* I agree that "building a path is a separate check to revocation checking",
* but revocation checking without building a validated path does not make
* sense.
*
* The full text currently is:
* 
*      - Build a certification path to a trust anchor;
* 
*      - Build a validated certification path to a trust anchor; and
* 
*      - Do revocation status checks on the certification path.
*
* The full text should be:
* 
*      - Build a certification path to a trust anchor;
* 
*      - Build a validated certification path to a trust anchor; and
*        do revocation status checks on the certification path.
*
* Denis

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Prev by Date: RE: SCVP 16 comments deadline
Next by Date: RE: SCVP 16 comments deadline
Previous by thread: RE: SCVP 16 comments deadline
Next by thread: RE: SCVP 16 comments deadline
Index(es):
- Date
- Thread