On Mon, 19 Jun 2000, Rich Salz wrote:
> > Is there any
> > other technical solution than generating once CRL with information about a
> > certificate and then a newer CRL not containing the certificate?
>
> I don't even think you're really "supposed" to do that. Most software
> assumes
> that once a cert is on a CRL it never comes off.
>
> Many folks believe OCSP, which can handle the "now it's bad ... now it's
> good"
> model is a better way to go.
> /r$
Hmmm. Doesn't this get really complicated? As in suppose you have a
document that is signed by a cert that has been suspended and then has
been reinstated. In order to verify that the document was signed by the
cert "when it was good", you would need to know:
1. when the cert was signed (and this must be a "signed
datestamp" (signed by a trusted third-party) because
someone could forge the date.
2. every period when the cert was suspended
3. every period when the cert was valid
I suppose someone is thinking about how to do all this...
yuji
----
Yuji Shinozaki Computer Systems Senior Engineer
[EMAIL PROTECTED] Advanced Technologies Group
(804)924-7171 Information Technology & Communication
http://www.people.virginia.edu/~ys2n University of Virginia
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
