[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: On Hold

To: ietf-pkix <ietf-pkix@xxxxxxx>
Subject: Re: On Hold
From: Tony Bartoletti <azb@xxxxxxxx>
Date: Wed, 16 Dec 1998 19:06:12 -0800
Sender: owner-ietf-pkix@xxxxxxx

At 08:49 AM 12/16/98 -0700, Mike Smith wrote:
>I separated out my response to the "on hold"  question.
>
>In my opinion, there are valid business reasons to suspend or put a certificate on hold.  Two of which incude:
>1. Someone other than the certificate holder (say, her business competitor) reported a compromised private identitiy key.  Suspended until holder and owner could be notified and confirmed or disavowed.  The suspension would become revocation as default after specified time (say, 24 hours).  It would only be reinstated if the holder or owner denied the compromise.

There is a special case, where revocation should be immediate.  It is where the CA
receives a _signed_ request, signed with the supposedly compromised key, to effect
key revocation.  Either the request was signed by the legitimate owner, in which
case I assume they have the right to (forward) revoke their own key, or the request
was signed by someone else, hence the key is de facto compromised.

In a security model where only future signatures should be seen invalid, there
is no need to distinguish who made the signed request.

___tony___

Tony Bartoletti                                             LL
SPI-NET GURU                                             LL LL
Computer Security Technology Center                   LL LL LL
Lawrence Livermore National Lab                       LL LL LL
PO Box 808, L - 303                                   LL LL LLLLLLLL
Livermore, CA 94551-9900                              LL LLLLLLLL
email: azb@llnl.gov   phone: 925-422-3881             LLLLLLLL

Prev by Date: RE: CMC Comments?
Next by Date: RE: x.509v3
Previous by thread: Re: On Hold
Next by thread: Re: On Hold
Index(es):
- Date
- Thread