Re: Online Certificate Revocation Protocol

["Nick Pope" <pope@secstan.com>]

Re-sending due to e-mail address problems:

>I agree with Denis.  The use of a "never valid" reason code needs to be
vary
>carefully considered before be included since it provides an easy means of
a
>signatory repudiating all his signatures.
>
>Nick Pope
>
>-----Original Message-----
>From: owner-ietf-pkix@mail.imc.org
>[mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Denis Pinkas
>Sent: 18 June 2001 09:59
>To: liaquat.khan@gta.multicert.org
>Cc: ietf-pkix@imc.org
>Subject: Re: Online Certificate Revocation Protocol
>
>
>
>Liaquat,
>
>>  I agree a new reason code of ("never valid") has uses.  This will allow
a
>>  relying party when verifying a digital signatures using a certificate,
>which
>>  when performing revocation checking is found to be on a CRL with the a
new
>>  reason code ("never valid"), to detect that the digital signature should
>not
>>  be trusted even if the digital signature was produced before the time of
>the
>>  revocation of the certificate.   Otherwise in theory signature produced
>>  before the revocation will continue to be considered valid - not a good
>>  situation for the relying party or for the CA.
>
>This is the reverse situation. If a signature was tested to be valid e.g.
in
>June 2000 and the certificate was revoked for any reason e.g. in May 2001,
>then the signature tested good in June 2000, shall continue to be valid,
>otherwise it would not be a good situation for relying parties.
>
>Denis
>
>>  However, I cannot see the need to keep such a certificate on a CRL even
>>  after it has expired...what does this achieve?
>>
>>  Regards,
>>  Liaquat
>>
>>  -----Original Message-----
>>  From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org]On
>>  Behalf Of Peter Gutmann
>>  Sent: 14 June 2001 11:13
>>  To: ietf-pkix@imc.org; madwolf@openca.org
>>  Subject: Re: Online Certificate Revocation Protocol
>>
>>  Massimiliano Pala <madwolf@hackmasters.net> writes:
>>  >Peter Gutmann wrote:
>>  >>There's another revocation status which needs a way of indicating it
>which
>>  is
>>  >>somewhat trickier, I'll bring it up here in case anyone has any ideas:
>>  >>Sometimes a cert can be issued in error, what's needed here is a
>>  revocation
>>  >>reason which says that not only is the cert revoked, it should never
be
>>  and
>>  >>was never valid at any time for any reason.  You can sort of achieve
>this
>>  by
>>  >
>>  >In this case, when will br the entry removed from the CRL ? When the
>>  >certificate will be expired ?? Or should it be left in all future CRLs
?
>>
>>  Well, CMP leaves pretty much everything to CA policy so it's up to the
>>  individual CA.  I leave it in the CRL until the cert expires anyway, but
>>  that's just me (I'm also currently overloading the "undefined" reason
code
>  > in
>>  the hope that, since you're not supposed to use it, it's a spare code
>which
>>  can be used to mean "never valid", but it really needs its own reason
code
>>  to
>>  indicate the true status).
>>
>>  Peter.


--Paul Hoffman, Director
--Internet Mail Consortium