[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: The Meaning of Hold

To: ietf-pkix@xxxxxxxxxx, "Michael Myers-P23970" <Michael_Myers-P23970@xxxxxxxxxxxxx>
Subject: Re: The Meaning of Hold
From: "Housley, Russ" <housley@xxxxxxxxxx>
Date: Tue, 17 Dec 96 05:06:23
Encoding: 2571 Text

Mike:

You are correct.  In a non-repudiation application, you might need to wait 
for a subsequennt CRL to make a decision about the validity of a signature 
associated with an "on hold" certificate.  We should point this out in PKIX 
Part 1.

Russ


______________________________ Reply Separator _________________________________
Subject: RE: The Meaning of Hold
Author:  "Michael Myers-P23970" <Michael_Myers-P23970@email.mot.com> at internet
Date:    12/11/96 8:47 AM


I agree with Russ, noting that support for hold as it's currently defined 
yields a (reasonably modest) increment to the technical complexity of the 
dispute resolution process.  In an infrastructure which does not deploy hold 
functionality, once a cert appears on a CRL, one has a stopping condition. 
 In context of hold, however, it will be necessary to examine CRLs forward 
of a hold entry to determine: 1) was the certification reinstated; 2) was it 
ever again placed on hold; and 3) was it subsequently revoked for cause?
 ----------
>From: housley@spyrus.com2
>To: ietf-pkix@tandem.com
>Subject: The Meaning of Hold
>Date: Tuesday, December 10, 1996 5:08AM 
>
>All:
>
>At the IETF PKIX session on Monday, 9 December 1996, Denis Pinkas raised a 
>question about the handling of signatures that were generated when a 
>particular certificate was marked "on hold" in a CRL.
>
>Here is the scenario:
>  - At time T0, the CA issues a certificate for user A.
>  - At time T1, the CA issues a CRL without an entry for user A's cert. 
>  - At time T2, the CA issues a CRL with an "on hold" entry for user
>    A's cert.
>  - At time T3, the CA issues a CRL without an entry for user A's cert. 
>
>Following time T3, Denis asks how are signatures generated by user A 
>handled?
>
>In my opinion, the answer is simple.  The decision is always made based on 
>the most recent CRL.  If the most recent CRL includes an entry for user A's 

>certificate (whether it is a revocation or "on hold" entry), then the 
>certificate is treated as revoked.  Alternatively, if the most recent CRL 
>does not include an entry for user A's certificate, then the certificate is 

>treated as valid.
>
>Russ
>
>P.S.  After thinking about this, I do believe that the PKIX Profile should 
>state that a certificate that is placed "on hold" and subsequently revoked, 

>then the revocation date for that certificate should be the same within 
>both of the CRLs (the CRL that contains the "on hold" entry and the CRL 
>taht contains revocation entry).
>

Prev by Date: Re: Time Encoding
Next by Date: unsubscribe
Previous by thread: RE: The Meaning of Hold
Next by thread: [no subject]
Index(es):
- Date
- Thread