[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate Cancellation Notices (CCN)


On Thu, 3 Apr 1997, Ron Rivest wrote:

> I guess I would expect a server to keep around recent CCN's it has
> received.  If a client submits a certificate that is apparently valid,
> but which is listed on a CCN, then the server can disregard that
> certificate.

I belive that practiacally all CCN:s would be issued with the same
validity period as the certificates they represent.  There is not much
sense in cancelling a certificate that has expired, now is there?
However, if someone were to issue a CCN with a different validity
period, we would actually aquire a "Certificate Blocking Notice"
(CBN ?).

I imagine this could be used for things I cannot even imagine right
now.  An example probably explains what I mean better than I do.

Cert lifetime |--------------------------------------------|
CBN  lifetime          |------------------|

An administrator has to move the home directories of users A, B and C
from one disk to another.  To prevent them from logging in during the
operation, he issues a CBN with a limited validity period and sends it
to the login server.  The server blocks any logins during that period,
but discards the CBN when it expires, allowing further logins using
the old certificates of A, B and C.

Does anyone see any serious flaws in this?


Camillo Sdrs <Camillo.Sars@DataFellows.com>     Data Fellows Ltd.
F-Secure Support
http://www.Europe.DataFellows.com/              Secure Networking(tm) with
http://www.iki.fi/ged                           F-Secure SSH

Version: 2.6.3i
Charset: latin1


Follow-Ups: References: