[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Revocation...

To: Ron Rivest <rivest@theory.lcs.mit.edu>
Subject: Re: Revocation...
From: Ben Laurie <ben@algroup.co.uk>
Date: Mon, 13 Apr 1998 23:21:43 +0100
CC: spki@c2.net, blampson@microsoft.com
Organization: A.L. Digital Ltd.
References: <199804132204.SAA06281@swan>
Sender: owner-spki@c2.net

Ron Rivest wrote:
> 
> Yes, the idea is that during the first phase (between the not-before and
> the good-until), no checks are needed, and that if you do a check during
> the second phase (between the good-until and the not-after) you get back
> a new certificate with new not-before/good-until/not-after dates...

Hasn't this effectively been proposed before (though I forget in what
context) in the form of a "check every n days" rule? OTOH, doing it this
way is cleaner, clearer and more guaranteed not to go wrong.

The next question, though, is, if it is after the good-until date, but I
can't, or won't, check the cert, what is its status? If it is OK to use
the cert anyway, then why have it (good-until, that is), and if it
isn't, then how is it different from the not-after date?

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 735 0686|  Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd,     |Apache-SSL author    http://www.apache-ssl.org/
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache

References:

Revocation...

From: Ron Rivest <rivest@theory.lcs.mit.edu>

Prev by Date: Revocation...
Next by Date: Revocation.
Prev by thread: Revocation...
Next by thread: Revocation.
Index(es):
- Main
- Thread