Re: On Hold

[Russ Housley <housley@xxxxxxxxxx>]

X.509 identiy certificates bind a public key to an identity (subject DN
and/or subject alt names).  A CRL entry indicates that this binding is no
longer appropriate.  It might be inapproriate due to key compromise, name
change, or a number of other reasons.

Certificate path validation software it trying to generate a binary answer:
the path is valid or it is not valid.  To me, "on hold" creates a maybe.
For this reason, I really dislike "on hold."

We need to have straight forward path validation if we are going to see
wide spread implementation in clients.

Often certificate path validation is part of some overall system founction,
like authentication to a web site.  Based on the output of certificate path
validation and other data, the clinet will be admitted to the web site or
refused access.  I suggest that bad check history is "other data," not a
reason to revoke the binding of the user's identity to the public key.

Similar arguments can be made for e-mail, remote access, e-payment, and
other environments.

Russ

At 08:49 AM 12/16/98 -0700, Mike Smith wrote:
>I separated out my response to the "on hold"  question.
>
>In my opinion, there are valid business reasons to suspend or put a 
>certificate on hold.  Two of which incude:
>1. Someone other than the certificate holder (say, her business competitor) 
>reported a compromised private identitiy key.  Suspended until holder and 
>owner could be notified and confirmed or disavowed.  The suspension would 
>become revocation as default after specified time (say, 24 hours).  It would 
>only be reinstated if the holder or owner denied the compromise.
>2.  The holder or subscriber did not pay their bill, check bounced or other 
>business reason between the issuer, repsository, holder and owner.  Again, 
>revocation after a specified time period is the default, reinstatement by 
>the CA and/or repository once again when holder or owner are in good standing.
>
>With systems that only work (validate signatures and trust) while a 
>certificate is still valid, then suspected compromised key situations would 
>not be sufficient reason to suspend instead of revoke.  This model 
>invalidates all signed objects, not just those signed within the suspension 
>period.
>
>If the system was implemented with a time stamp authority and requirement, 
>which based the validation and trust verification on time the object was 
>signed, then a record of the suspension would also have to be archived for 
>these systems to work.  I believe that the current models for suspension 
>have the record of the suspension dropping off the CRLs after one or two 
>generations past the end of the suspension.
>
>Michael
>
>>>> Juergen Walter <walter@deh.de> 12/16/98 03:37AM >>>
>******************  InterScan Message (on zbc2)
>
>noname is scanned and no virus found
>*********************************************************
>                                                                             
>                                                                             
>                                                                             
>                                                                             
>                                                                             
>                                                                             
>                                                                             
>                                                                             
>                                                                             
>                                                                             
>                                                                             
>                                                                             
>                                                                   !
>