On Sat, Jun 22, 2002 at 06:50:58AM +1000, Greg Rose wrote: > a) it isn't clear to me that RSA would have the right to revoke the > organisations certificate; maybe they build it into their license agreement.
I hope that they would reserve the right to revoke the certificate before it expires. There has to be a way for RSA to say that 'we no longer trust the entity posessing this certificate'. Even if a company has paid for the certificate, it should still be revocable in the event of breach of contract, or loss/theft of the certificate. > b) browsers *don't check* the revocation status on certificates, and the > field that points to the server for the revocation list is almost never > filled in anyway. That's a good point, but I think it's more of an argument that the browser-certificate model was already broken, not that this new service suddenly changes anything. Ian Clelland <[EMAIL PROTECTED]> --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]