[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

The Meaning of Hold

To: ietf-pkix@xxxxxxxxxx
Subject: The Meaning of Hold
From: "Housley, Russ" <housley@xxxxxxxxxx>
Date: Tue, 10 Dec 96 03:05:01
Encoding: 1357 Text

All:

At the IETF PKIX session on Monday, 9 December 1996, Denis Pinkas raised a 
question about the handling of signatures that were generated when a 
particular certificate was marked "on hold" in a CRL.

Here is the scenario:
  - At time T0, the CA issues a certificate for user A.
  - At time T1, the CA issues a CRL without an entry for user A's cert.
  - At time T2, the CA issues a CRL with an "on hold" entry for user
    A's cert.
  - At time T3, the CA issues a CRL without an entry for user A's cert.

Following time T3, Denis asks how are signatures generated by user A 
handled?

In my opinion, the answer is simple.  The decision is always made based on 
the most recent CRL.  If the most recent CRL includes an entry for user A's 
certificate (whether it is a revocation or "on hold" entry), then the 
certificate is treated as revoked.  Alternatively, if the most recent CRL 
does not include an entry for user A's certificate, then the certificate is 
treated as valid.

Russ

P.S.  After thinking about this, I do believe that the PKIX Profile should 
state that a certificate that is placed "on hold" and subsequently revoked, 
then the revocation date for that certificate should be the same within 
both of the CRLs (the CRL that contains the "on hold" entry and the CRL 
taht contains revocation entry).

Prev by Date: Re: Security hole
Next by Date: Re: The Meaning of Hold
Previous by thread: new PKIX-1 Draft...
Next by thread: Re: The Meaning of Hold
Index(es):
- Date
- Thread