Rich Salz wrote:
>
> > Is there any
> > other technical solution than generating once CRL with information about a
> > certificate and then a newer CRL not containing the certificate?
>
> I don't even think you're really "supposed" to do that. Most software
> assumes
> that once a cert is on a CRL it never comes off.
>
> Many folks believe OCSP, which can handle the "now it's bad ... now it's
> good"
> model is a better way to go.
> /r$
Wait, on the rfcs it is written that to revoke a certificate simply it has to
be present on the "next due CRL". Then, either if it do not appearing on next
CRLs, the certificate is to be considered Revoked.
I suppose this is to better support deltas CRL.
I have proposed something like CSL (Certificate Suspension List) but it seems
people on the ietf do not share with me the need of such a definition - some
are against the definition of "suspended" certificates and some other do
reject
it because they think it can be done with CRLs having, as extention, the
onHold (or something like this... I can't remember exactly) reason.
I continue to think that a suspension list can be very useful, and, when I get
some spare time, I will re-post some messages to the ietf-pkix working group -
hopefully I have enought time to submit an rfc... (??) - who knows ...
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
