[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Revocation...

Ron Rivest wrote:
> Yes, the idea is that during the first phase (between the not-before and
> the good-until), no checks are needed, and that if you do a check during
> the second phase (between the good-until and the not-after) you get back
> a new certificate with new not-before/good-until/not-after dates...

Hasn't this effectively been proposed before (though I forget in what
context) in the form of a "check every n days" rule? OTOH, doing it this
way is cleaner, clearer and more guaranteed not to go wrong.

The next question, though, is, if it is after the good-until date, but I
can't, or won't, check the cert, what is its status? If it is OK to use
the cert anyway, then why have it (good-until, that is), and if it
isn't, then how is it different from the not-after date?



Ben Laurie            |Phone: +44 (181) 735 0686|  Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd,     |Apache-SSL author    http://www.apache-ssl.org/
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache