[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
groups
Peter Williams ask about re-issuing certificates in a slightly changed
manner, and their effect on previously issued certificates.
The basic model is the certificates, once issued, are valid until they
expire. Thus, a second certificate doesn't cancel any previously
issued certificates; it can only add authorization to what is already
out there.
I have toyed with the idea of having a "supersedes" field in a certificate
that gives the hash of a previous certificate that has been superseded
by this one. E.g.
( supersedes ( hash ... ) )
as an optional field in a certificate.
This is for notification only, and is not enforceable.
But I think that the "certificate cancellation notice" may be a better
stand-alone procedure for doing this, based on serial numbers and/or
hashes of certificates
( certificate-cancellation-notice
( issuer )
( hash ... )
( serial-numbers base bit-array base bit-array ... )
)
This mechanism handles everything the "supersedes" can do, and more...
Ron Rivest
Follow-Ups:
- CCNs
- From: Carl Ellison <cme@cybercash.com>