[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The Meaning of Hold

To: "Housley, Russ" <housley@xxxxxxxxxx>, ietf-pkix@xxxxxxxxxx
Subject: Re: The Meaning of Hold
From: Nick Pope <pope@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 10 Dec 1996 14:05:43 +0000
Comments: Authenticated sender is <pope+secstan@sdps.demon.co.uk>
Priority: normal

In reply to your message of 10 Dec 96, 3:05:

I agree with your interpretation with regards to hold.  And I believe 
that was what was intended when the X.509 DAM was written.

 In X.509 DAM 12.5.2.2 3rd major 
paragraph, it states as one of the actions subsequent to hold is that 
the certificate:

 "c) be explicetly released and the entry removed from the CRL."

If a certificate hasn't been placed on hold I don't believe that it 
should be removed from the CRL until the revoked certificate validity 
period has expired.

Nick
> 
> All:
> 
> At the IETF PKIX session on Monday, 9 December 1996, Denis Pinkas
> raised a question about the handling of signatures that were generated
> when a particular certificate was marked "on hold" in a CRL.
> 
> Here is the scenario:
>   - At time T0, the CA issues a certificate for user A.
>   - At time T1, the CA issues a CRL without an entry for user A's
>   cert. - At time T2, the CA issues a CRL with an "on hold" entry for
>   user
>     A's cert.
>   - At time T3, the CA issues a CRL without an entry for user A's
>   cert.
> 
> Following time T3, Denis asks how are signatures generated by user A
> handled?
> 
> In my opinion, the answer is simple.  The decision is always made
> based on the most recent CRL.  If the most recent CRL includes an
> entry for user A's certificate (whether it is a revocation or "on
> hold" entry), then the certificate is treated as revoked. 
> Alternatively, if the most recent CRL does not include an entry for
> user A's certificate, then the certificate is treated as valid.
> 
> Russ
> 
> P.S.  After thinking about this, I do believe that the PKIX Profile
> should state that a certificate that is placed "on hold" and
> subsequently revoked, then the revocation date for that certificate
> should be the same within both of the CRLs (the CRL that contains the
> "on hold" entry and the CRL taht contains revocation entry). 

-------------------------------------


Security & Standards
Suite A
191 Moulsham St.
Chelmsford
Essex
CM2 0LG
U.K.

Tel: +44 1245 495018
Fax: +44 1245 494517

Prev by Date: Re: The Meaning of Hold
Next by Date: [no subject]
Previous by thread: Re: The Meaning of Hold
Next by thread: RE: The Meaning of Hold
Index(es):
- Date
- Thread