On Thu, Feb 06, 2014 at 02:20:47AM +0000, Osterweil, Eric wrote:
> > I don't see any reason to de-authorize by publishing a blacklist,
> > when one can just simply stop publishing the record or replace a
> > TA record with an EE record.
>
> Well, what about if I run a mail domain, I issue usage type 3
> certs, I don't want to run a CRL or OCSP service, and I want to
> remove a user account from my domain?
An EE cert per user is fine. Just remove the EE cert in question
from the list of certificates associated with the user. The
certificate is then no longer valid for signing new mail or
for encrypting new mail addressed to the user.
You're getting at a basic semantic question. Does an SMIMEA record
publish ALL presently valid certificates for a user (a white-list
that fails closed, so blacklists are redundant), or only SOME of
the valid certificates, in which case one might conceivably want
explicit revocation... My vote is for ALL.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
