[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Need for Start Date

>The first, I believe, was offered by Carl Ellison.  This "generalized"
>certificate has the following minimal structure:
>      Certifying-key:  <KEY_ID>
>      Signed-key:      <KEY_ID>
>      Validity:        <DATE_RANGE>
>      Meaning:         <variable structure>
>      (cert-key signature appended).

>Another target was offered recently by Paul Leach:
>      Cert-Name:       <DNS-name>
>      Issuer-Name:     <DNS-name>
>      Key:             <base64>
>      Expires:         <RFC1123-date>
>      Serial:          <RFC822-msgID>
>      Sig:             <base64>

It might be a good idea to add a Start-Date: to both these forms.  This
date could mean either Issued-on: or Valid-from:.  If this field is added,
it would allow automatic override of an old certificate by a newer one.

SET uses a this protocol to revoke a Acquirer Payment Gateway certificate
when it has become compromised.  They issue a new certificate and
physically replace the secret key and the certificate in the gateway.  The
gateway sends the new certificate out whenever it is invoked to perform its
function.  The more recent Issue-date on the new certificate insures that
it replaces the old certificate in merchant and cardholder caches.

Regards - Bill

Bill Frantz       | The CDA means  | Periwinkle  --  Computer Consulting
(408)356-8506     | lost jobs and  | 16345 Englewood Ave.
frantz@netcom.com | dead teenagers | Los Gatos, CA 95032, USA