[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Peter Williams ask about re-issuing certificates in a slightly changed
manner, and their effect on previously issued certificates.

The basic model is the certificates, once issued, are valid until they
expire.  Thus, a second certificate doesn't cancel any previously
issued certificates; it can only add authorization to what is already
out there.

I have toyed with the idea of having a "supersedes" field in a certificate
that gives the hash of a previous certificate that has been superseded
by this one.  E.g.

	( supersedes ( hash ... ) )

as an optional field in a certificate.

This is for notification only, and is not enforceable.  

But I think that the "certificate cancellation notice" may be a better
stand-alone procedure for doing this, based on serial numbers and/or
hashes of certificates

	( certificate-cancellation-notice
	  ( issuer )
	  ( hash ... )
	  ( serial-numbers base bit-array base bit-array ... )

This mechanism handles everything the "supersedes" can do, and more...

Ron Rivest