[Smcwg-public] Certificate Suspension

[Stephen Davidson]

Hi Ben:



Thanks for the comment.



I believe that support for suspension is not appropriate for the publicly-trusted S/MIME for the following reasons:



*       For S/MIME recipients this could be confusing, for example in the case that a signature on an email could be valid or not on different days, with no explanation. The CABF stance for publicly-trusted certificates has been that once a certificate is "bad" on a CRL it can't be "unbad".
*       For Certificate Issuers, this could also create undesired inconsistency in revocation handling across publicly-trusted certificate types, particularly in light of the changes implemented recently to create CRL consistency under the Mozilla policy for TLS.
*       For Certificate Consumers, we have no known “default” for how revocation checking is performed in client software, or how the certificateHold revocation code is treated.



I recall the WG did review this draft section about a year ago, but as there was no comment (often the case with ‘pick ups’ from other CABF standards) the topic is not specifically acknowledged in the minutes.



Best, Stephen









From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Ben Wilson via Smcwg-public
Sent: Wednesday, August 17, 2022 2:44 PM
To: SMIME Certificate Working Group <smcwg-public at cabforum.org>
Subject: [Smcwg-public] Certificate Suspension



Question - did we previously discuss and decide on "Certificate Suspension"?



The draft I'm looking at says, "### 4.9.13 Circumstances for suspension
The Repository SHALL NOT include entries that indicate that a Certificate is suspended."



Don't some legacy implementations allow suspension?



Thanks,



Ben

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220824/fb651018/attachment.html>