IETF Logo Mail Archive

Re: [pkix] New draft-ietf-pkix-rfc2560bis-06

mrex@sap.com (Martin Rex) Tue, 23 October 2012 10:17 UTC

Return-Path: <mrex@sap.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BA3421F865E for <pkix@ietfa.amsl.com>; Tue, 23 Oct 2012 03:17:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.207
X-Spam-Level:
X-Spam-Status: No, score=-10.207 tagged_above=-999 required=5 tests=[AWL=0.042, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bO6wfOQ8hBKt for <pkix@ietfa.amsl.com>; Tue, 23 Oct 2012 03:17:28 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id B17F221F8654 for <pkix@ietf.org>; Tue, 23 Oct 2012 03:17:27 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id q9NAHP2c012819 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 23 Oct 2012 12:17:25 +0200 (MEST)
In-Reply-To: <50866A61.3070404@bull.net>
To: Denis Pinkas <denis.pinkas@bull.net>
Date: Tue, 23 Oct 2012 12:17:25 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20121023101725.6273E1A2EE@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: pkix@ietf.org
Subject: Re: [pkix] New draft-ietf-pkix-rfc2560bis-06
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Oct 2012 10:17:28 -0000

Denis Pinkas wrote:
> 
> The certificateHold state was not created to have certificates issued
> in a suspended state. It was created to allow a user to suspend its
> certificates rather than revoking its certificates, in case a smart
> card was temporarily lost and since after a revocation it may take
> a while to get a new smart card.
> 
> Some people, then used also the certificateHold state to have
> certificates issued in a suspended state. This is legitimate since
> it complies with the semantics of the certificateHold state.
> 
> We should not change/overload the meaning of CertificateHold.


The purpose of the CertificateHold is to convey from the CA to the RP
"you should not currently trust the certificate with this serial,
because it is not certain that the entity which is currently
in control of the associated private key is actually the entity
which the cert says it is." 

When an OCSP responder has access to the certificate issue logs,
and does not find proof that a requested serial was issued,
then the message it wants to convey to the RP is
"you should not currently trust the certificate with this serial,
because it is not certain that the entity which is currently
in control of the associated private key is actually the entity
which the cert says it is."

So we are *NOT* changing nor overloading the semantics of CertificateHold
_at_all_ with this expanded definition !


-Martin

"

v2.23.0 | Report a Bug | By Email