Comments on part 1

[Denis Pinkas <D.Pinkas@xxxxxxxxxxxx>]

This is remainder of the five comments made during the PKIX session on 
part 1.

These comments have been discussed after the meeting with two of the 
editors (Russel Housley and David Solo) and the results of the
discussion
will be reflected in the next version.

Note: Text between brackets [ ] was not part of the discussion.

1) Page 8. Section 3.3. Last sentence of the second paragraph. Entries
of 
a CRL must still be present, at least, in the next CRL following the 
expiration date of the certificate. [In practice, it should stay for
some 
period of time as it may be difficult for a verifier to identify which
is 
the next CRL following the expiration date of the certificate].

2) Page 10. item g). cross-certification can be unilateral or
bi-lateral. 
This is currently reflected correctly in part 3.

3) Page 24. Section 5.3.3. Invalidity date. Second sentence. The 
invalidity date cannot always be later than the issue of the previously 
issued CRL.

4) Page 25. Section 6. Certificate path validation. The issue was how to 
handle the case of the hold when non repudiation applies. After 
discussion, it appears that the result of a path validation is not
simply 
YES or NO, but also "Wait, may be and come back later". While a 
certificate is on hold it is not possible to state the validity of a
path 
and so the caller will have to call again later on to wait for the 
termination of the hold state, which may end up by a revocation status
or 
not. In the case of revocation, the revocation date will be the date
where 
the certificate was first placed on hold.

As a side discussion, we observed that if there is an hold state and if 
the certificate expires, the CA must make a decision which must appear 
(at least) in the next CRL issued after the validity period of the 
certificate. The decision must be to include it or not in the CRL. The 
default should be to include it. [As mentioned above, in practice, if 
revocation occurs then it should stay for some period of time as it may
be 
difficult for a verifier to identify which is the next CRL following the 
expiration date of the certificate. This means that CRLs may have to 
include, during some period of time, certificate identifiers referring
to 
recently-expired certificates.

I would like also to comment on the mail exchanges related to "The
Meaning 
of Hold" posted during the IETF meeting, in particular the mail from
Russ 
from Tuesday the 10 th. He said "The decision is always based on the
most 
recent CRL". When referring to the example, this is absolutely is true. 
However, I would like to point out that this is not the case when the
time 
of verification is not within the certificate validity period. In that 
case it is necessary to grasp the "n+1 CRL" which means in practice to
get 
a CRL issued recently after the expiration date of the certificate.

I would suggest that we consider in the policy (part 4) to add a time 
period during which recently-expired certificates will be retained in
the 
CRLs].


5) Page 13. Page 13. Section 4.1.5. Validity period within the 
certificate. We discussed that topic and came into agreement about the 
rational. Dave will try to capture the notion by proposing a new 
definition, saying basically that it is the period during which the CA
is 
responsible for posting the CRL (without forgetting the n+1 CRL). In 
addition we will attempt to provide an annex giving more explanations on 
the topic in particular when non repudiation is concerned.


Denis


-- 

      Denis Pinkas     Bull S.A.         E-mail : D.Pinkas@frcl.bull.fr
      Rue Jean Jaures  B.P. 68            Phone : 33 - 1 30 80 34 87
      78340 Les Clayes sous Bois. FRANCE   Fax  : 33 - 1 30 80 33 21