[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

groups

To: spki@c2.net
Subject: groups
From: rivest@theory.lcs.mit.edu (Ron Rivest)
Date: Thu, 03 Apr 97 10:38:17 EST
Cc: peter@verisign.com, blampson@microsoft.com
Sender: owner-spki@c2.net


Peter Williams ask about re-issuing certificates in a slightly changed
manner, and their effect on previously issued certificates.

The basic model is the certificates, once issued, are valid until they
expire.  Thus, a second certificate doesn't cancel any previously
issued certificates; it can only add authorization to what is already
out there.

I have toyed with the idea of having a "supersedes" field in a certificate
that gives the hash of a previous certificate that has been superseded
by this one.  E.g.

	( supersedes ( hash ... ) )

as an optional field in a certificate.

This is for notification only, and is not enforceable.  

But I think that the "certificate cancellation notice" may be a better
stand-alone procedure for doing this, based on serial numbers and/or
hashes of certificates

	( certificate-cancellation-notice
	  ( issuer )
	  ( hash ... )
	  ( serial-numbers base bit-array base bit-array ... )
        )

This mechanism handles everything the "supersedes" can do, and more...

Ron Rivest

Follow-Ups:

CCNs

From: Carl Ellison <cme@cybercash.com>

Prev by Date: names, etc.
Next by Date: Certificate Cancellation Notice
Prev by thread: names, etc.
Next by thread: CCNs
Index(es):
- Main
- Thread