[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: The Meaning of Hold

To: housley@xxxxxxxxxx, ietf-pkix@xxxxxxxxxx
Subject: RE: The Meaning of Hold
From: "Michael Myers-P23970" <Michael_Myers-P23970@xxxxxxxxxxxxx>
Date: Wed, 11 Dec 1996 10:25:51 -0600
X400-mts-identifier: [ /P=MOT/A=MOT/C=US/ ; m\gstmd\961211102551a ]

I agree with Russ, noting that support for hold as it's currently defined 
yields a (reasonably modest) increment to the technical complexity of the 
dispute resolution process.  In an infrastructure which does not deploy hold 
functionality, once a cert appears on a CRL, one has a stopping condition. 
 In context of hold, however, it will be necessary to examine CRLs forward 
of a hold entry to determine: 1) was the certification reinstated; 2) was it 
ever again placed on hold; and 3) was it subsequently revoked for cause?
 ----------
>From: housley@spyrus.com2
>To: ietf-pkix@tandem.com
>Subject: The Meaning of Hold
>Date: Tuesday, December 10, 1996 5:08AM
>
>All:
>
>At the IETF PKIX session on Monday, 9 December 1996, Denis Pinkas raised a
>question about the handling of signatures that were generated when a
>particular certificate was marked "on hold" in a CRL.
>
>Here is the scenario:
>  - At time T0, the CA issues a certificate for user A.
>  - At time T1, the CA issues a CRL without an entry for user A's cert.
>  - At time T2, the CA issues a CRL with an "on hold" entry for user
>    A's cert.
>  - At time T3, the CA issues a CRL without an entry for user A's cert.
>
>Following time T3, Denis asks how are signatures generated by user A
>handled?
>
>In my opinion, the answer is simple.  The decision is always made based on
>the most recent CRL.  If the most recent CRL includes an entry for user A's 

>certificate (whether it is a revocation or "on hold" entry), then the
>certificate is treated as revoked.  Alternatively, if the most recent CRL
>does not include an entry for user A's certificate, then the certificate is 

>treated as valid.
>
>Russ
>
>P.S.  After thinking about this, I do believe that the PKIX Profile should
>state that a certificate that is placed "on hold" and subsequently revoked, 

>then the revocation date for that certificate should be the same within
>both of the CRLs (the CRL that contains the "on hold" entry and the CRL
>taht contains revocation entry).
>

Follow-Ups:
- RE: The Meaning of Hold
  - From: Stephen Kent

Prev by Date: Time Encoding
Next by Date: RE: Time Encoding
Previous by thread: Re: The Meaning of Hold
Next by thread: RE: The Meaning of Hold
Index(es):
- Date
- Thread