Re: Online Certificate Revocation Protocol
Denis Pinkas <Denis.Pinkas@bull.net> Mon, 18 June 2001 13:57 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA08034 for <pkix-archive@odin.ietf.org>; Mon, 18 Jun 2001 09:57:58 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.3/8.11.3) id f5ICick20404 for ietf-pkix-bks; Mon, 18 Jun 2001 05:44:38 -0700 (PDT)
Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.11.3/8.11.3) with ESMTP id f5ICiaJ20398 for <ietf-pkix@imc.org>; Mon, 18 Jun 2001 05:44:36 -0700 (PDT)
Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id OAA14224; Mon, 18 Jun 2001 14:45:16 +0200
Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id OAA18710; Mon, 18 Jun 2001 14:44:04 +0200
Message-ID: <3B2DF26B.23B10AEC@bull.net>
Date: Mon, 18 Jun 2001 14:22:03 +0200
From: Denis Pinkas <Denis.Pinkas@bull.net>
Organization: Integris. A Bull Company
X-Mailer: Mozilla 4.7 [fr] (Win98; I)
X-Accept-Language: fr
MIME-Version: 1.0
To: liaquat.khan@gta.multicert.org
CC: ietf-pkix@imc.org
Subject: Re: Online Certificate Revocation Protocol
References: <LPBBLCKMHBKCDJGHBAJOIEJGCIAA.liaquat.khan@gta.multicert.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
List-ID: <ietf-pkix.imc.org>
Content-Transfer-Encoding: 7bit
Liaquat, > I agree with what you are saying Denis, Good. > but the scenario I was painting was > slightly different. Imagine a digital signature which is being verified for > the first time by a relying party. The relying party checks the relevant > CRL and realises that the certificate is revoked. So the signature is invalid. > However the signature was produced before the revocation occurred. How can a relying party know that the signature was produced before the revocation occurred ? Unless a time-stamp has been applied it is hard to prove. Then if you want to prove that the signature was valid (or invalid) at the time the time-stamp was applied, then you must get the revocation information available at that time. > It would be nice for the CA to > indicate in the CRL within the reason code that the certificate was never > valid. So signatures performed even before the revocation should not be > trusted. One again, signatures performed before the revocation shall remain trusted. Regards, Denis > Regards, > Liaquat > > -----Original Message----- > From: Denis Pinkas [mailto:Denis.Pinkas@bull.net] > Sent: 18 June 2001 09:59 > To: liaquat.khan@gta.multicert.org > Cc: ietf-pkix@imc.org > Subject: Re: Online Certificate Revocation Protocol > > Liaquat, > > > I agree a new reason code of ("never valid") has uses. This will allow a > > relying party when verifying a digital signatures using a certificate, > which > > when performing revocation checking is found to be on a CRL with the a new > > reason code ("never valid"), to detect that the digital signature should > not > > be trusted even if the digital signature was produced before the time of > the > > revocation of the certificate. Otherwise in theory signature produced > > before the revocation will continue to be considered valid - not a good > > situation for the relying party or for the CA. > > This is the reverse situation. If a signature was tested to be valid e.g. in > June 2000 and the certificate was revoked for any reason e.g. in May 2001, > then the signature tested good in June 2000, shall continue to be valid, > otherwise it would not be a good situation for relying parties. > > Denis > > > However, I cannot see the need to keep such a certificate on a CRL even > > after it has expired...what does this achieve? > > > > Regards, > > Liaquat > > > > -----Original Message----- > > From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]On > > Behalf Of Peter Gutmann > > Sent: 14 June 2001 11:13 > > To: ietf-pkix@imc.org; madwolf@openca.org > > Subject: Re: Online Certificate Revocation Protocol > > > > Massimiliano Pala <madwolf@hackmasters.net> writes: > > >Peter Gutmann wrote: > > >>There's another revocation status which needs a way of indicating it > which > > is > > >>somewhat trickier, I'll bring it up here in case anyone has any ideas: > > >>Sometimes a cert can be issued in error, what's needed here is a > > revocation > > >>reason which says that not only is the cert revoked, it should never be > > and > > >>was never valid at any time for any reason. You can sort of achieve > this > > by > > > > > >In this case, when will br the entry removed from the CRL ? When the > > >certificate will be expired ?? Or should it be left in all future CRLs ? > > > > Well, CMP leaves pretty much everything to CA policy so it's up to the > > individual CA. I leave it in the CRL until the cert expires anyway, but > > that's just me (I'm also currently overloading the "undefined" reason code > > in > > the hope that, since you're not supposed to use it, it's a spare code > which > > can be used to mean "never valid", but it really needs its own reason code > > to > > indicate the true status). > > > > Peter.
- RE: Online Certificate Revocation Protocol JANES, Mark
- Online Certificate Revocation Protocol Massimiliano Pala
- Online Certificate Revocation Protocol Massimiliano Pala
- Re: Online Certificate Revocation Protocol Hansen Wang
- RE: Online Certificate Revocation Protocol Carlin Covey
- RE: Online Certificate Revocation Protocol Peter Williams
- RE: Online Certificate Revocation Protocol Frank Balluffi
- Re: Online Certificate Revocation Protocol Massimiliano Pala
- Re: Online Certificate Revocation Protocol Massimiliano Pala
- Re: Online Certificate Revocation Protocol Nada Kapidzic Cicovic
- Re: Online Certificate Revocation Protocol Massimiliano Pala
- Re: Online Certificate Revocation Protocol Peter Gutmann
- RE: Online Certificate Revocation Protocol Peter Gutmann
- Re: Online Certificate Revocation Protocol Massimiliano Pala
- Re: Online Certificate Revocation Protocol Housley, Russ
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- Re: Online Certificate Revocation Protocol Tony Bartoletti
- Re: Online Certificate Revocation Protocol Tony Bartoletti
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- Re: Online Certificate Revocation Protocol Andrew W. Gray
- Re: Online Certificate Revocation Protocol Paul Hoffman / IMC
- Re: Online Certificate Revocation Protocol Hansen Wang
- Re: Online Certificate Revocation Protocol Tony Bartoletti
- Re: Online Certificate Revocation Protocol Tony Bartoletti
- Re: Online Certificate Revocation Protocol Marc Branchaud
- RE: Online Certificate Revocation Protocol Paul Gogarty
- Re: Online Certificate Revocation Protocol jim
- Re: Online Certificate Revocation Protocol Hansen Wang
- Online Certificate Revocation Protocol Mr Jonathan W Jenkyn
- Re: Online Certificate Revocation Protocol Hansen Wang
- Online Certificate Revocation Protocol Massimiliano Pala
- Re: Online Certificate Revocation Protocol Massimiliano Pala
- Online Certificate Revocation Protocol Massimiliano Pala
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- Re: Online Certificate Revocation Protocol Paul Hoffman / IMC
- Re: Online Certificate Revocation Protocol jim
- Re: Online Certificate Revocation Protocol Peter Gutmann
- Re: Online Certificate Revocation Protocol Peter Gutmann
- Re: Online Certificate Revocation Protocol Peter Gutmann
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- Re: Online Certificate Revocation Protocol Massimiliano Pala
- Re: Online Certificate Revocation Protocol Bob Jueneman
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- RE: Online Certificate Revocation Protocol Carlin Covey
- Re: Online Certificate Revocation Protocol Marc Branchaud
- RE: Online Certificate Revocation Protocol Tony Bartoletti
- Re: Online Certificate Revocation Protocol Tony Bartoletti
- Re: Online Certificate Revocation Protocol Marc Branchaud
- Re: Online Certificate Revocation Protocol Marc Branchaud
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- Re: Online Certificate Revocation Protocol Massimiliano Pala
- RE: Online Certificate Revocation Protocol Lynn.Wheeler
- Re: Online Certificate Revocation Protocol Marc Branchaud
- RE: Online Certificate Revocation Protocol Carlin Covey
- RE: Online Certificate Revocation Protocol Lynn.Wheeler
- RE: Online Certificate Revocation Protocol Paul Gogarty
- RE: Online Certificate Revocation Protocol Scherling, Mark
- RE: Online Certificate Revocation Protocol Carlin Covey
- RE: Online Certificate Revocation Protocol Scherling, Mark
- RE: Online Certificate Revocation Protocol Bob Jueneman
- RE: Online Certificate Revocation Protocol Scherling, Mark
- Re: Online Certificate Revocation Protocol Terry Hayes
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- RE: Online Certificate Revocation Protocol Scherling, Mark
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- RE: Online Certificate Revocation Protocol Scherling, Mark
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- RE: Online Certificate Revocation Protocol Carlin Covey
- Re: Online Certificate Revocation Protocol Peter Gutmann
- RE: Online Certificate Revocation Protocol Lynn.Wheeler
- Re: Online Certificate Revocation Protocol Massimiliano Pala
- Re: Online Certificate Revocation Protocol jim
- Re: Online Certificate Revocation Protocol jim
- Re: Online Certificate Revocation Protocol Lynn.Wheeler
- Re: Online Certificate Revocation Protocol Tony Bartoletti
- Re: Online Certificate Revocation Protocol Tony Bartoletti
- RE: Online Certificate Revocation Protocol Scherling, Mark
- RE: Online Certificate Revocation Protocol Hal Lockhart
- Re: Online Certificate Revocation Protocol Peter Gutmann
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- Re: Online Certificate Revocation Protocol jim
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- RE: Online Certificate Revocation Protocol Liaquat Khan
- RE: Online Certificate Revocation Protocol Scherling, Mark
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- Re: Online Certificate Revocation Protocol Tony Bartoletti
- RE: Online Certificate Revocation Protocol Scherling, Mark
- RE: Online Certificate Revocation Protocol Santosh Chokhani
- RE: Online Certificate Revocation Protocol Tony Bartoletti
- Re: Online Certificate Revocation Protocol jim
- RE: Online Certificate Revocation Protocol Luis Azevedo
- Re: Online Certificate Revocation Protocol Denis Pinkas
- Re: Online Certificate Revocation Protocol Peter Gutmann
- RE: Online Certificate Revocation Protocol Liaquat Khan
- Re: Online Certificate Revocation Protocol Denis Pinkas
- Re: Online Certificate Revocation Protocol Denis Pinkas
- Re: Online Certificate Revocation Protocol Nick Pope