Certificate Revocation Revisited Internet X.509 Public Key Infrastructure
draft-gerck-pkix-revocation-00
| Document | Type |
Expired Internet-Draft
(individual)
Expired & archived
|
|
|---|---|---|---|
| Author | Ed Gerck | ||
| Last updated | 2004-05-24 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | Expired | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:
Abstract
PKIX certificate revocation protocols are primarily described in RFC3280. This Document revisits limitations on determining the revocation status of a certificate. Ambiguous aspects of revocation and revocation delegation are resolved. An objective point of view is introduced as a reference that does not depend on the observer (e.g., the RP). The revocation status of a certificate issued by a conforming CA is shown to be always well-defined from a relying party's point of view -- i.e., it is unambiguous (revoked or not revoked) and ultimately determinable at any period in time. The limitations on determining the revocation status of a certificate have nothing to do with the eventual result of the determination process by a relying party. The limitations have to do with the efforts for that determination, which may require a large (actually unspecified) amount of time and work. Some practices are also suggested, allowing a relying party to determine the revocation status of a certificate with higher reliability in less time. The same considerations apply to determinations of status "change" processes, including certificateHold and removefromCRL.
Authors
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)