Re: Online Certificate Revocation Protocol
Tony Bartoletti <azb@llnl.gov> Wed, 13 June 2001 18:43 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA29151 for <pkix-archive@odin.ietf.org>; Wed, 13 Jun 2001 14:43:57 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.3/8.11.3) id f5DHwmR01191 for ietf-pkix-bks; Wed, 13 Jun 2001 10:58:48 -0700 (PDT)
Received: from smtp-2.llnl.gov (smtp-2.llnl.gov [128.115.250.82]) by above.proper.com (8.11.3/8.11.3) with ESMTP id f5DHwlJ01187 for <ietf-pkix@imc.org>; Wed, 13 Jun 2001 10:58:47 -0700 (PDT)
Received: from poptop.llnl.gov (localhost [127.0.0.1]) by smtp-2.llnl.gov (8.9.3/8.9.3/LLNL-gateway-1.0) with ESMTP id KAA14534; Wed, 13 Jun 2001 10:58:39 -0700 (PDT)
Received: from catalyst.llnl.gov (catalyst.llnl.gov [128.115.222.68]) by poptop.llnl.gov (8.8.8/LLNL-3.0.2/pop.llnl.gov-5.1) with ESMTP id KAA07989; Wed, 13 Jun 2001 10:58:35 -0700 (PDT)
Message-Id: <4.3.2.7.2.20010613105449.00b05260@poptop.llnl.gov>
X-Sender: e048786@poptop.llnl.gov
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Wed, 13 Jun 2001 11:06:32 -0700
To: jim <jimhei@cablespeed.com>, Santosh Chokhani <chokhani@cygnacom.com>
From: Tony Bartoletti <azb@llnl.gov>
Subject: Re: Online Certificate Revocation Protocol
Cc: "Scherling, Mark" <mscherling@rsasecurity.com>, thayes@netscape.com, Ietf-Pkix <ietf-pkix@imc.org>
In-Reply-To: <3B277422.1DCEF688@cablespeed.com>
References: <8D7EC1912E25D411A32100D0B76953978DF552@scygmxs01.cygnacom.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
List-ID: <ietf-pkix.imc.org>
At 10:09 AM 6/13/01 -0400, jim wrote: >I have to jump in again. Mark is correct. Remember that we are talking a >Certification Revocation List (CRL). This is vastly different than a >Compromised Key List (CKL). We place a certificate on the CRL because >there is a larger problem other than just the signing key. If the token >set is damaged or destroyed (this is a good place to insert Bob's >reflection on bent keys), the cert needs to be added to the CRL. If there >is some way to ensure that only a keyset is damaged, the cert can be >rekeyed so that service for the DN continues. It specifically does come >back to the concern of knowing what is considered destroyed and what is >considered bent. Since I have not seen the equivalent of a CKL in the >IETF world, I have to assume that the only way to truly cancel usage of a >key is either to put the cert on the CRL or to rekey the cert so that the >old key is no longer valid. The question becomes how to demonstrate that >a key has been invalidated without invalidating the DN or cert. > >I think Santosh and I agree that the question is one of trust as to >whether the key is truly destroyed as opposed to being unusable to the >user, but the issuing authority still has the responsibility for making >that determination and if needed, revoking the cert to invalidate the >key. There is a fine line between what happens technically and what needs >to happen procedurally. Thus, I still side with Mark and the proponents >of transaction notarization (accomplishable through a retrievable audit >trail) as a better, more secure process. I am not arguing about what >needs to happen as far as the technical capability of key management, but >from the risk mitigation standpoint, which is what business needs to deal >with. They need to have an electronic system that is as inherently secure >as their paper system or PKI will never get off the ground. > >Jim A (X.509) certificate is a CAs attestation of a given key->DN binding. Thus, a new key *dictates* a new and different certificate. This is the first time I've come across the terminology "the cert can be rekeyed". This is a curious turn of phrase! It sounds like "we changed the key, but don't fret, the *certificate* remains the same." To my understanding, rather than "rekey a cert", you want to "recertify a DN". ___tony___ Tony Bartoletti 925-422-3881 <azb@llnl.gov> Information Operations, Warfare and Assurance Center Lawrence Livermore National Laboratory Livermore, CA 94551-9900
- RE: Online Certificate Revocation Protocol JANES, Mark
- Online Certificate Revocation Protocol Massimiliano Pala
- Online Certificate Revocation Protocol Massimiliano Pala
- Re: Online Certificate Revocation Protocol Hansen Wang
- RE: Online Certificate Revocation Protocol Carlin Covey
- RE: Online Certificate Revocation Protocol Peter Williams
- RE: Online Certificate Revocation Protocol Frank Balluffi
- Re: Online Certificate Revocation Protocol Massimiliano Pala
- Re: Online Certificate Revocation Protocol Massimiliano Pala
- Re: Online Certificate Revocation Protocol Nada Kapidzic Cicovic
- Re: Online Certificate Revocation Protocol Massimiliano Pala
- Re: Online Certificate Revocation Protocol Peter Gutmann
- RE: Online Certificate Revocation Protocol Peter Gutmann
- Re: Online Certificate Revocation Protocol Massimiliano Pala
- Re: Online Certificate Revocation Protocol Housley, Russ
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- Re: Online Certificate Revocation Protocol Tony Bartoletti
- Re: Online Certificate Revocation Protocol Tony Bartoletti
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- Re: Online Certificate Revocation Protocol Andrew W. Gray
- Re: Online Certificate Revocation Protocol Paul Hoffman / IMC
- Re: Online Certificate Revocation Protocol Hansen Wang
- Re: Online Certificate Revocation Protocol Tony Bartoletti
- Re: Online Certificate Revocation Protocol Tony Bartoletti
- Re: Online Certificate Revocation Protocol Marc Branchaud
- RE: Online Certificate Revocation Protocol Paul Gogarty
- Re: Online Certificate Revocation Protocol jim
- Re: Online Certificate Revocation Protocol Hansen Wang
- Online Certificate Revocation Protocol Mr Jonathan W Jenkyn
- Re: Online Certificate Revocation Protocol Hansen Wang
- Online Certificate Revocation Protocol Massimiliano Pala
- Re: Online Certificate Revocation Protocol Massimiliano Pala
- Online Certificate Revocation Protocol Massimiliano Pala
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- Re: Online Certificate Revocation Protocol Paul Hoffman / IMC
- Re: Online Certificate Revocation Protocol jim
- Re: Online Certificate Revocation Protocol Peter Gutmann
- Re: Online Certificate Revocation Protocol Peter Gutmann
- Re: Online Certificate Revocation Protocol Peter Gutmann
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- Re: Online Certificate Revocation Protocol Massimiliano Pala
- Re: Online Certificate Revocation Protocol Bob Jueneman
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- RE: Online Certificate Revocation Protocol Carlin Covey
- Re: Online Certificate Revocation Protocol Marc Branchaud
- RE: Online Certificate Revocation Protocol Tony Bartoletti
- Re: Online Certificate Revocation Protocol Tony Bartoletti
- Re: Online Certificate Revocation Protocol Marc Branchaud
- Re: Online Certificate Revocation Protocol Marc Branchaud
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- Re: Online Certificate Revocation Protocol Massimiliano Pala
- RE: Online Certificate Revocation Protocol Lynn.Wheeler
- Re: Online Certificate Revocation Protocol Marc Branchaud
- RE: Online Certificate Revocation Protocol Carlin Covey
- RE: Online Certificate Revocation Protocol Lynn.Wheeler
- RE: Online Certificate Revocation Protocol Paul Gogarty
- RE: Online Certificate Revocation Protocol Scherling, Mark
- RE: Online Certificate Revocation Protocol Carlin Covey
- RE: Online Certificate Revocation Protocol Scherling, Mark
- RE: Online Certificate Revocation Protocol Bob Jueneman
- RE: Online Certificate Revocation Protocol Scherling, Mark
- Re: Online Certificate Revocation Protocol Terry Hayes
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- RE: Online Certificate Revocation Protocol Scherling, Mark
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- RE: Online Certificate Revocation Protocol Scherling, Mark
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- RE: Online Certificate Revocation Protocol Carlin Covey
- Re: Online Certificate Revocation Protocol Peter Gutmann
- RE: Online Certificate Revocation Protocol Lynn.Wheeler
- Re: Online Certificate Revocation Protocol Massimiliano Pala
- Re: Online Certificate Revocation Protocol jim
- Re: Online Certificate Revocation Protocol jim
- Re: Online Certificate Revocation Protocol Lynn.Wheeler
- Re: Online Certificate Revocation Protocol Tony Bartoletti
- Re: Online Certificate Revocation Protocol Tony Bartoletti
- RE: Online Certificate Revocation Protocol Scherling, Mark
- RE: Online Certificate Revocation Protocol Hal Lockhart
- Re: Online Certificate Revocation Protocol Peter Gutmann
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- Re: Online Certificate Revocation Protocol jim
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- RE: Online Certificate Revocation Protocol Liaquat Khan
- RE: Online Certificate Revocation Protocol Scherling, Mark
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- Re: Online Certificate Revocation Protocol Tony Bartoletti
- RE: Online Certificate Revocation Protocol Scherling, Mark
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- RE: Online Certificate Revocation Protocol Tony Bartoletti
- Re: Online Certificate Revocation Protocol jim
- RE: Online Certificate Revocation Protocol Luis Azevedo
- Re: Online Certificate Revocation Protocol Denis Pinkas
- Re: Online Certificate Revocation Protocol Peter Gutmann
- RE: Online Certificate Revocation Protocol Liaquat Khan
- Re: Online Certificate Revocation Protocol Denis Pinkas
- Re: Online Certificate Revocation Protocol Denis Pinkas
- Re: Online Certificate Revocation Protocol Nick Pope