Re: Online Certificate Revocation Protocol

[Nada Kapidzic Cicovic <nada@entegrity.com>]

At 11:01 AM 6/8/01 +0200, Massimiliano Pala wrote:
>Carlin Covey wrote:
>
> > But none of these allow a certificate to be revoked. I gather that
> > you are interested in a protocol for requesting revocation of certificates.
> > Check out CMP, available at
> > http://www.ietf.org/internet-drafts/draft-ietf-pkix-rfc2510bis-04.txt
>
>This could be the case, anyway I was thinking of something more "robust"
>and a little bit complex -- as request/response contents -- to prevent
>unauthorized revoking requesting to prevent as much as possible DoS but
>allowing for a simple revocation method. This could help environments where
>legal issues are also covered -- govenment PKIs, Municipalities PKIs,
>etc...

This is exactly what CMP specifies. Many vendors already have support for 
CMP EE initiated certificate revocation. The interoperability of different 
implementations of CMP certificate revocation (among other things) has been 
conducted during PKI Forum and ICSA CMP interop testing quite successfully.

Nada


>The model I've been thinking of is mostly based on a structure very similar
>to the model proposed in OCSP. The choosen transport mechanism could be
>HTTP -- this could help browsers in adding the functionality and CSP to
>implement the service.
>
>--
>
>C'you,
>
>         Massimiliano Pala
>
>--o-------------------------------------------------------------------------
>Massimiliano Pala [OpenCA Project Manager]                madwolf@openca.org
>                                                      madwolf@hackmasters.net
>http://www.openca.org                            Tel.:   +39 (0)59  270  094
>http://openca.sourceforge.net                    Mobile: +39 (0)347 7222 365

______________________________________________________________

Nada Kapidzic Cicovic, Ph.D.
Technical Director,   Entegrity Solutions
office: + 46 8 477 77 37,   cell: + 46 70 495 09 03,    fax: + 46 8 477 77 31