[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [IETF-PKIX] OCSP v CRLs over HTTP

To: Carlisle Adams <carlisle.adams@xxxxxxxxxxx>, "'IETF-PKIX@xxxxxxxxxxxxxxxx'" <IETF-PKIX@xxxxxxxxxxxxxxxx>, "'Marc Branchaud'" <marcnarc@xxxxxxxxx>
Subject: RE: [IETF-PKIX] OCSP v CRLs over HTTP
From: mmyers@xxxxxxxxxxxx
Date: Sat, 06 Dec 1997 23:47:50 -0700

At 04:42 PM 12/5/97 -0500, Carlisle Adams wrote:
>Hi Marc,
> . . .
>>The flaw is that the decision of when to release new revocation
>>information rests with the CA.  In other words, a relying party who needs
>>up-to-date revocation information in a CRL-only environment has to wait
>>for the next CRL to be published.  The relier has no power to influence
>>the CA into releasing revocation information earlier.
> . . . 
>Unfortunately, your "slightly different perspective" is no longer
>supported in the latest OCSP revision.  The OCSP response message now
>contains "produced_at" and "expires_on" fields.
>. . .
>So, it turns out that the CA still controls when new revocation
>information is released.

To which I would add: Including those operating autonomously within an
enterprise, using Internet-based technology.

A reliable decision regarding the revocation state of a certificate should
be made with reference to the entity that issued the certificate in the
first place.  This reference can established by direct signature or
indirectly, via agreement between a Trust Provider and a Certification
Authority.  In either case, relying parties have an avenue of recourse
should damages be incurred.

Mike

Prev by Date: Re: Character sets in PKIX and X.509 (RE: [IETF-PKIX] Objections to IPKI3CMP charset handling)
Next by Date: Re: [IETF-PKIX] OCSP v CRLs over HTTP
Previous by thread: Re: [IETF-PKIX] OCSP v CRLs over HTTP
Next by thread: Re: [IETF-PKIX] OCSP v CRLs over HTTP
Index(es):
- Date
- Thread