Hi Dave, my personal opinion is that if a certificate is not used for a long period of time and there are no other constraints (eg., special smart cards/usb tokens involved) you have two options: * Keep it Valid - more compatible option if you want to re-use it later (if it can not be used to access information that the user is not supposed to during the "suspension" period) * Revoke it - and issue another certificate when the user needs a new one (safest option) Depending on costs of operations you might want to go in one or another direction. I would say that if the certificate is issued on a software token (eg., not a USB/SmartCard/etc.) the safest is to revoke it.
Who knows how the user will treat his own private key ? Also, if you use certificates to provide authentication + authorization, you can not allow a certificate to be valid. If, instead, the backend of your applications can authorize the user based on internal data (not only the capability of using a valid certificate) then you might go for keeping the certificate valid. Keep in mind, though, that keeping the certificate valid will allow the user to use it - eg., for sending emails - and you, as CA, guarantee that the information on the certificate is valid. So.. the decision might also depend on your certification policy.. I hope these considerations will help you... :D Cheers, Max On 04/05/2010 02:25 PM, blain...@gdls.com wrote:
Hi Max, Thanks for the response... I would figure it doesn't matter - the application could figure the certificate is revoked until it was reactivated. So is their a recommended approach to dealing with unused certificates for long periods of time? Dave
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
