[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Need for Start Date

At 18:02 3/14/96, Bill Frantz wrote:

>It might be a good idea to add a Start-Date: to both these forms.  This
>date could mean either Issued-on: or Valid-from:.  If this field is added,
>it would allow automatic override of an old certificate by a newer one.
>SET uses a this protocol to revoke a Acquirer Payment Gateway certificate
>when it has become compromised.  They issue a new certificate and
>physically replace the secret key and the certificate in the gateway.  The
>gateway sends the new certificate out whenever it is invoked to perform its
>function.  The more recent Issue-date on the new certificate insures that
>it replaces the old certificate in merchant and cardholder caches.

There's a problem with SET's use of a newer cert to implicitly invalidate
an older one.  That turns the new one into an implicit revocation
certificate.  That, in turn, requires some statement about the length of
time you're allowed to trust the information you get when you check with
the CA to find out if there's a CRL update, or a new revocation
certificate.  In none of your summary of SET did you mention such a time
limit as a field in the certificate.  Without that delta-time specified
explicitly, you're forced to check with the CA, on-line, every time you are
about to use a certificate.

|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430                   http://www.cybercash.com/    |
|2100 Reston Parkway           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091      Tel: (703) 620-4200                                 |