[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate Cancellation Notices (CCN)

> Brian Thomas (below) asks how the CCN's work.
> I guess I would expect a server to keep around recent CCN's it has
> received.  If a client submits a certificate that is apparently valid,
> but which is listed on a CCN, then the server can disregard that
> certificate.

I think the CCN can be reconciled with Ron's original "never
revoke" proposal.

If a certificate is going to be suceptable to cancellation then
the necessary checks should be incorporated in the certificate.
This is equivalent to the Credit Card industry idea of a "floor
limit", the shopkeeper can accept goods up to $50 without an
authorisation code, above that they phone for authorisation.
[disclaimer, this varies from country to country].

So an assertion might be :-

Bill Clinton is identified by the key <foo>
	Clinton is authorised to sign bills up to $1 billion.
	Before setting off nuclear missiles check the cert
		is not revoked at http://keyserver.whitehouse.gov/
		according to the 

I'm deliberately using fuzzy language here. The revocation 
process would be itself specifed in the cert. It might be a
Micalli like lightweight scheme, it might be a passive or active
revocation instruction. There might be a need to get "proof".

The basis of a certificate is "I assert that I have determined X
to be true by process Y, I will guarantee this information to
be correct in the sum P provided you verify it using procedure Q".