[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Invalidity Dates

To: <david.solo@xxxxxxxxxxxx>
Subject: Re: Invalidity Dates
From: "Bob Jueneman" <BJUENEMAN@xxxxxxxxxx>
Date: Thu, 17 Dec 1998 09:17:01 -0700
Cc: <ietf-pkix@xxxxxxx>
Sender: owner-ietf-pkix@xxxxxxx

David,

Robert R. Jueneman
Security Architect
Network Security Development
Novell, Inc.
122 East 1700 South
Provo, UT 84606
bjueneman@novell.com
1-801-861-7387

>>> David Solo <david.solo@citicorp.com> 12/17/98 08:18AM >>>
Bob,

DS>A further comment (and clarification).  With respect to hold status, in 
all the discussions I can recall, the firm agreement has been that if a
hold is converted to a "full" revocation, the revocation date
(regardless of what happens with the invalidity date) becomes the date
of the hold (i.e. for all intents and purposes, it is as if the
certificate was revoked, rather than held, at the time of the original
hold).  I'm not sure if you were suggesting something different.

No, I agree with you.  I just have been so busy with encryption and 
other issues that I haven't had the time I'd like to keep up with the latest
revisions, and haven't even downloaded the latest text to check exactly 
what is said on this point. Does the current text make this clear?  In
particular, I didn't want the date of the CRL to be the date of the 
revocation in this case.

DS>With respect to the general discussion, I still believe the invalidity
date makes sense in some environments.  I would expect some CAs (as part
of their operating rules/practices) to preclude its use, others to
perform some degree of diligence on the requested value, and others to
allow end entities to request whatever they like.  This is then
supplemental information which an RP may or may not elect to make use
of.  In any case, disputes would either be subject to operating rules
for a given environment or to more general contract principles.

Hmm.  Every time we get into these kinds of philosophical discussions,
I am torn between wanting to be flexible enough to satisfy the primary 
business needs, vs. being so flexible that no one knows what a given 
field represents in a specific case.  I am particularly reluctant to allow
the mass of individual CAs to make up their own mind about these
things and to include them in their (normally unread) CA Policy
documents.  (I am not necessarily talking about the major public CAs,
nor the more or less private, closed CAs such as are used for 
industry associations, etc.)

At present, I understand the field is defined with a SHOULD, rather 
than a MUST. That's certainly going in the right direction, but my preference
would be for PROBABLY OUGHT NOT TO (mildly deprecated).

Bob

Prev by Date: Re: Invalidity Dates
Next by Date: Re: On Hold
Previous by thread: Re: Invalidity Dates
Next by thread: Re: Invalidity Dates
Index(es):
- Date
- Thread