[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: The Meaning of Hold

To: "Michael Myers-P23970" <Michael_Myers-P23970@xxxxxxxxxxxxx>
Subject: RE: The Meaning of Hold
From: Stephen Kent <kent@xxxxxxx>
Date: Wed, 11 Dec 1996 22:53:45 -0500
Cc: housley@xxxxxxxxxx, ietf-pkix@xxxxxxxxxx
In-reply-to: <MSMAIL PC */PRMD=MOT/ADMD=MOT/C=US/@MHS>

Mike,

Hold adds some compexity for non-repudiation applications, but probably not
much for simple authentication and access control applications.  In the
latter case, at the time the data is checked or access is requested, one
just looks at the current CRL.  In the N-R case, it is always critical to
have a transaction time stamped, and to collect the relevant certs and
CRLs.  If the CRL that covers the time at which the transaction took place
does not have any of the relevant certs in question on it, even in hold
status, then you're done.  If one of the relevant certs is added later,
it's not your problem: you already have the needed data to substantiate
your claim.  The potentially transient nature of a cert on a CRL due to the
hold condition is bothersome to me, as it complicates the model and makes
it harder to explain to folks, but in practice I don't think it unduly
complicates processing in either case.

Steve

References:
- RE: The Meaning of Hold
  - From: Michael Myers-P23970

Prev by Date: RE: Time Encoding
Next by Date: RE: The Meaning of Hold
Previous by thread: RE: The Meaning of Hold
Next by thread: RE: The Meaning of Hold
Index(es):
- Date
- Thread