[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Invalidity Dates

To: Mary_Ellen_Zurko@xxxxxxxx
Subject: Re: Invalidity Dates
From: Dan Geer <geer@xxxxxxxxxxxxx>
Date: Thu, 10 Dec 1998 18:24:39 -0500
Cc: ietf-pkix@xxxxxxx
In-reply-to: Your message of "Thu, 10 Dec 1998 15:47:00 EST." <>
Sender: owner-ietf-pkix@xxxxxxx

MEZ,

I cannot follow this mailing list in real time, but it seems to
me that all revocations are retroactive to a known good date.
If the attack were insidious or the key infrequently inspected,
the effective date of revocation could be arbitrarily many
CRL generations ago.  If CRLs are issued by other than the
CA, the date of revocation could precede the existence of
the revocation server.

And, of course, this is true for all time -- records do not
outdate.  I may, at any arbitrary time in the future, want to
inquire of a certificate/key status as of a date of my choosing.
The CRLs must be indexed by time, a signature must ensure there
are no omitted CRLs, and it is the diffs between CRLs that
constitutes their information content.  Further, if I seek
to prove my due diligence, I will want a signature binding
the moment in time I asked for this data with the global
signature on the state of the CRL database at that moment.
Even so, there will remain the semantic fine point of whether
the inter-CRL time scale constitutes a clock tick such that 
a revocation notice may be enqueued at the CRL issuer yet
the titularly correct answer in CRL-time-granularity is 
"not yet known to be invalid."

I hope this reply merely telescopes the implications of your
question and is not the pedantic rehash I fear it is.

Respectfully,

--dan

Follow-Ups:
- Re: Invalidity Dates
  - From: Stephen Kent

References:
- Invalidity Dates
  - From: Mary_Ellen_Zurko

Prev by Date: status of pkix drafts
Next by Date: RE: Qualified Certificates and the 43:d IETF Meeting
Previous by thread: Invalidity Dates
Next by thread: Re: Invalidity Dates
Index(es):
- Date
- Thread