[caops-wg] on-hold cert revocation ("suspend") to disappear?
Mike Helm
helm at fionn.es.net
Mon Nov 27 15:54:06 CST 2006
------- Forwarded Message
>From SRS0=c649ea436bb7f94904d7eb80db940951b33abd3e=167=mail.imc.org=owner-ietf-pkix at es.net Mon Nov 27 12:55:57 2006
Message-ID: <456B47D1.2050405 at cs.tcd.ie>
Date: Mon, 27 Nov 2006 20:17:21 +0000
From: Stephen Farrell <stephen.farrell at cs.tcd.ie>
User-Agent: Thunderbird 1.5.0.8 (Windows/20061025)
MIME-Version: 1.0
To: Russ Housley <housley at vigilsec.com>
CC: ietf-pkix at imc.org
Subject: Re: on-hold certificates in CRLs
References: <a7d7da420611270753s70be3596qebe24ea9f3aff6b at mail.gmail.com> <7.0.0.16.2.20061127140855.07404318 at vigilsec.com>
In-Reply-To: <7.0.0.16.2.20061127140855.07404318 at vigilsec.com>
List-ID: <ietf-pkix.imc.org>
Bit of a late change, but a good one,
S.
Russ Housley wrote:
>
> I would like to take this opportunity to advocate the deprecation of "on
> hold" altogether. No good can come from it, as been discussed so many
> times on this list.
>
> I can live with the current text, but I think it would be far better to
> say that the "on hold" status MUST NOT be used by CAs conforming to
> 3280bis.
>
> Russ
>
> At 10:53 AM 11/27/2006, Carlos González-Cadenas wrote:
>> Hi,
>>
>> Suppose we have the following ordered temporal sequence
>>
>> t1 - a certificate with serial "S1" is issued by a CA
>> t2 - the certificate is put on-hold by the CA (i.e. in order to
>> investigate a possible compromise)
>> t3 - a full CRL is issued by the CA
>> t4 - the investigation carried by the CA ends up in no compromise, and
>> the CA makes the certificate valid again
>> t5 - a delta CRL is issued by the CA
>> t6 - a full CRL is issued by the CA
>>
>> Does the CRL logs all the revocation-related events for the
>> certificate with serial S1?.
>>
>> If we assume that all the events are logged, then the CRLs contents
>> (for certificate with serial S1) should be:
>>
>> full CRL issued at t3: contains an entry for S1 at t3 with reason code
>> on-hold
>> delta CRL issued at t5: contains the previous full CRL entry plus an
>> entry for S1 at t5 with reason code removeFromCRL
>> full CRL issued at t6: contains both previous entries (so you know
>> the on-hold period for the certificate) (maybe this is violating
>> RFC3280 as removeFromCRL is only applicable for deltaCRLs??)
>>
>> If we assume that NOT all events are logged, CRLs issued >=T6 don't
>> include revocation entries for certificate S1, that is
>>
>> full CRL issued at t3: contains an entry for S1 at t3 with reason code
>> on-hold
>> delta CRL issued at t5: contains the previous full CRL entry plus an
>> entry for S1 at t5 with reason code removeFromCRL
>> full CRL issued at t6: contains NO entry for S1
>>
>> Which is the normative (RFC3280) behaviour for that case?. Is there
>> any change between RFC3280 and RFC3280bis about these issues?
>>
>> Note that if the second case is the normative behaviour IMHO there's
>> no way (except storing the CRLs between t2 and the next CRL appeared
>> after t4) for a relying party (verifying the certificate in or after
>> t6) to know the certificate status between t2 and t4.
>>
>> Many thanks in advance,
>>
>> Carlos
>>
>
>
------- End of Forwarded Message
More information about the caops-wg
mailing list