Re: On Hold

[Mike Smith <mfsmith@xxxxxxxxxxxxx>]

I separated out my response to the "on hold"  question.

In my opinion, there are valid business reasons to suspend or put a certificate on hold.  Two of which incude:
1. Someone other than the certificate holder (say, her business competitor) reported a compromised private identitiy key.  Suspended until holder and owner could be notified and confirmed or disavowed.  The suspension would become revocation as default after specified time (say, 24 hours).  It would only be reinstated if the holder or owner denied the compromise.
2.  The holder or subscriber did not pay their bill, check bounced or other business reason between the issuer, repsository, holder and owner.  Again, revocation after a specified time period is the default, reinstatement by the CA and/or repository once again when holder or owner are in good standing.

With systems that only work (validate signatures and trust) while a certificate is still valid, then suspected compromised key situations would not be sufficient reason to suspend instead of revoke.  This model invalidates all signed objects, not just those signed within the suspension period.

If the system was implemented with a time stamp authority and requirement, which based the validation and trust verification on time the object was signed, then a record of the suspension would also have to be archived for these systems to work.  I believe that the current models for suspension have the record of the suspension dropping off the CRLs after one or two generations past the end of the suspension.

Michael

>>> Juergen Walter <walter@deh.de> 12/16/98 03:37AM >>>
******************  InterScan Message (on zbc2)

noname is scanned and no virus found
*********************************************************