Re: Certificate Suspension

[Mike Smith <mfsmith@xxxxxxxxxxxxx>]

Dwight:

A CA may, in its own interest to limit liability, take a warning of a signing key compromise from a third party and suspend the suspected compromised signing key while confirming with the private key holder ("subscriber "in Utah) whether or not to revoke the private key.  If the issue is not resolved in 24 hrs, then the key is revoked.

In industries  like yours, a "denial of service" attack would be easy if a trading entity was able to report a competitor's key as compromised then the CA would automatically revoke the competitor's key.  If the CA did not revoke the reportedly compromised key when notified, then the CA would probably incur liability for NOT revoking if a compromised key is actually used for fraudulent purposes.

Michael

>>> Dwight Arthur <dwightarthur@mindspring.com> 09/29/97 01:01PM >>>
Peter Williams wrote:
> The suspension action can be logically undone.
> 
> A revocation action cannot be undone.
> 
> If one advises a VISA bank that is possible that one has lost one's
> visacard, then they can suspend its use (for three days most
> issuing policies). When you find the card, account activity can be
> resumed as if nothing had happened.  <...>

In the world of securities trading, where people profit on good news and
bad but uncertainty causes panics, there is nothing more expensive than
a transaction that can neither be cancelled nor completed. In this
industry, I believe that suspensions will be deprecated and revocation
used instead.

-Dwight