[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: when can an entry not appear on a CRL?

To: Juergen.Walter@xxxxxx
Subject: Re: when can an entry not appear on a CRL?
From: Paul Koning <pkoning@xxxxxxxxx>
Date: Wed, 16 Dec 1998 11:17:40 -0500
Cc: ietf-pkix@xxxxxxx
References: <><>
Sender: owner-ietf-pkix@xxxxxxx

It's not clear to me why it is useful to distinguish "short term" and
"long term" signatures and then define different validation algorithms 
for them.  For example, what property distinbuishes the two flavors?

On a related issue, if you use "time of signature generation" how do
you know what that is?  It can't just be the timestamp in the
signature, since that would allow the thief of a key which was revoked
at time T to generate a "valid" signature by constructing one with
signing time T-epsilon.

If I have independent evidence I trust that a signature is at least as
old as T2 where T2 >= T, my inclination would be to verify that the
certificate wasn't revoked at T2, and was valid during the interval
T..T2.   Without independent evidence about the time of signing, I
basically have T2==now, which gets me what you describe as the "short
term" algorithm.

	paul

Follow-Ups:
- Re: when can an entry not appear on a CRL?
  - From: Juergen Walter

References:
- when can an entry not appear on a CRL?
  - From: Mary_Ellen_Zurko
- Re: when can an entry not appear on a CRL?
  - From: Juergen Walter

Prev by Date: Re: On Hold
Next by Date: Re: Invalidity Dates
Previous by thread: Re: when can an entry not appear on a CRL?
Next by thread: Re: when can an entry not appear on a CRL?
Index(es):
- Date
- Thread