IETF Logo Mail Archive

RE: Online Certificate Revocation Protocol

"Scherling, Mark" <mscherling@rsasecurity.com> Tue, 12 June 2001 17:26 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA20199 for <pkix-archive@odin.ietf.org>; Tue, 12 Jun 2001 13:26:54 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.3/8.11.3) id f5CGX0706799 for ietf-pkix-bks; Tue, 12 Jun 2001 09:33:00 -0700 (PDT)
Received: from nebula.x509.com (nebula.x509.com [199.175.150.19]) by above.proper.com (8.11.3/8.11.3) with ESMTP id f5CGWwJ06794 for <ietf-pkix@imc.org>; Tue, 12 Jun 2001 09:32:58 -0700 (PDT)
Received: from crack.x509.com (mail.x509.com [199.175.150.1]) by nebula.x509.com (8.11.3/XCERT) with ESMTP id f5CGWri11182; Tue, 12 Jun 2001 09:32:53 -0700 (PDT)
Received: from exvan01.x509.com (exvan01.x509.com [10.9.22.50]) by crack.x509.com (8.11.3/XCERT) with ESMTP id f5CGWrU19691; Tue, 12 Jun 2001 09:32:53 -0700 (PDT)
Received: by exvan01.x509.com with Internet Mail Service (5.5.2653.19) id <L2KC5FDW>; Tue, 12 Jun 2001 09:33:27 -0700
Message-ID: <016D1D1E0314D5118A7F00508BD9525272DC35@exvan01.x509.com>
From: "Scherling, Mark" <mscherling@rsasecurity.com>
To: 'Carlin Covey' <ccovey@cylink.com>, Paul Gogarty <p.gogarty@mail.com>, Lynn.Wheeler@firstdata.com, "Scherling, Mark" <mscherling@rsasecurity.com>
Cc: Ietf-Pkix <ietf-pkix@imc.org>
Subject: RE: Online Certificate Revocation Protocol
Date: Tue, 12 Jun 2001 09:33:26 -0700
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
List-ID: <ietf-pkix.imc.org>

The problem is that today we have no way of determining what "hold" means.
We can suspend a certificate which means it's not available, but my
preference is to revoke a certificate if the private key is in an unknown
state, that is we think it was destroyed but there is no way of determining
if that is absolutely true.  

If you look at a lot of the cyber-thefts, a large percentage was with
insider knowledge.  It would be easy to say my key has been destroyed and
then use my key for access to something after I left the organization.  You
would have proof that the key was destroyed (I signed a piece of paper
saying so, with date and time, witnessed by my VP, etc.) yet the key was
used to gain access after the date and time.  It's not a matter of trust,
but a matter of risk management.  If my key was unknowingly compromised and
then destroyed, the key is still valid unless we revoke the key.  It is far
safer than assuming that the key was destroyed.

In the case of a CA key, I would rather revoke all keys and re-issue than
take the risk that the CA key was destroyed and no other copies exist. 

So we want to restrict the ability to use the key even if it has been
destroyed because we cannot with absolution determine that the key was
destroyed and no copies exist.  In many Subscriber Agreements and
Certificate Policies, it states that the Subscriber may back up their keys
using proper safeguards as long as they are the only ones with access.  In
the event that someone leaves a company and their private key was destroyed
prior to them leaving, the back up key may be in a sealed envelope with the
passphrase at their desk or in their filing cabinet.  I know that most of us
would never do this sort of thing but many people do.   So now you are left
with a key that has not been revoked and is still active.  Would we all not
consider this a security risk?

The bottom line is that if a private key is in an unknown state, the CA
should revoke the key.

-----Original Message-----
From: Carlin Covey [mailto:ccovey@cylink.com]
Sent: Tuesday, June 12, 2001 9:07 AM
To: Paul Gogarty; Lynn.Wheeler@firstdata.com; mscherling@rsasecurity.com
Cc: Ietf-Pkix
Subject: RE: Online Certificate Revocation Protocol


Placing the certificate on hold and using some sort of hold instruction code
makes sense to me.  But the hold instruction code would have to refer to
some date after which new signatures are considered invalid.  That
presupposes a timestamp on the signed document, so there is a trusted
signature time to compare with the the "no new signatures after ..." time in
the hold code.  Of course, we could use the private key usage extension to
specify the time, if the CA, RA or subject of the signature certificate
knows this time when the certificate is issued.  In an earlier posting Lynn
Wheeler noted that in such a case the CA/RA functions might be combined with
the timestamping notary function.

Mark, is this similar to what you had in mind when you mentioned revoking
the private key?  That is, we want restrictions placed on validation of
signatures made with the private key based upon when the signatures were
created.

Regards,

Carlin

____________________________

-  Carlin Covey
   Cylink Corporation

-----Original Message-----
From: owner-ietf-pkix@mail.imc.org
[mailto:owner-ietf-pkix@mail.imc.org]On Behalf Of Paul Gogarty
Sent: Tuesday, June 12, 2001 8:11 AM
To: Ietf-Pkix
Subject: RE: Online Certificate Revocation Protocol



In cases where keys are destroyed before their revocation date would it not
make more sense to place the certificate on hold (use a combination of
'Reason Code' and 'Hold Instruction Code' CRL entry extensions).

This allows the certificate to validate as part of a certification path or
for signature verification, but provides a date after which signatures from
the certificate should not be trusted and the encryption key should not be
used.

	Paul Gogarty
	ASN.1 Developer

	De La Rue InterClear Ltd.
	De La Rue House
	Jays Close
	Viables
	Basingstoke
	England
	RG22 4BS

	Fax: +44 (0)1256 487755
	Tel: +44 (0)7879 458416
	mailto:paul.gogarty@interclear.co.uk

	http://www.interclear.co.uk/

v2.23.0 | Report a Bug | By Email