[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Invalidity Dates

To: ietf-pkix@xxxxxxx
Subject: Invalidity Dates
From: Mary_Ellen_Zurko@xxxxxxxx
Date: Thu, 10 Dec 1998 15:47:00 -0500
Cc: Mary_Ellen_Zurko@xxxxxxxx
Sender: owner-ietf-pkix@xxxxxxx

The description of a CRL entry Invalidity Date in the PKIX
profile states:
" ...but the revocation date
   SHOULD NOT precede the date of issue of earlier CRLs."
The description of SHOULD NOT says:
"4. SHOULD NOT   This phrase, or the phrase "NOT RECOMMENDED" mean that
   there may exist valid reasons in particular circumstances when the
   particular behavior is acceptable or even useful, but the full
   implications should be understood and the case carefully weighed
   before implementing any behavior described with this label.
"

It seems to me that one could discover that one's key was
compromised since before the issue of the current CRL.
In which case, it seems that you'd like to be able to reflect
that information in the CRL entry (when the next one comes
out). This means that not only could applications have been
accepting the cert while it was invalid (the case always with
CRLs) but that it could have been doing so for longer than
the configured "acceptable risk" interval between CRLs.

Are there any other implications that need to be weighed
by either the developer planning on allowing this feature,
or the user/administrator who might set such a revocation
date?

I haven't seen any discussion on this on PKIX; I apoligize
if I'm rehashing old ground (to mix a metaphor).
     Mez

Follow-Ups:
- Re: Invalidity Dates
  - From: Dan Geer

Prev by Date: Re: POP profile in CRMF /Was Re: generation of private keys
Next by Date: status of pkix drafts
Previous by thread: draft minutes, again
Next by thread: Re: Invalidity Dates
Index(es):
- Date
- Thread