[Smcwg-public] Certificate Suspension

[Tim Hollebeek]

I would love to hear from Certificate Consumers whether they are / are not interested in improving suspension in these ways.  If they are, then perhaps this is worth working on.  If they aren’t, then it would likely be a wasted effort.

While thinking about this a bit more last night, I realized that the experience is probably even more a nightmare than I had anticipated, as the correct implementation would need to check whether the certificate was suspended at the time the email was signed, not whether the certificate is currently suspended.  I doubt it currently works that way in all current mail clients.  Otherwise you can retroactively invalidate a whole bunch of signatures that happened way before whatever event triggered the need for temporary suspension.  I don’t even want to think about all the games you can play with asking for your certificate to be suspended temporarily whenever you want to manipulate whether your historical signatures validate successfully or not.

-Tim

The SMCWG is about to create a new Guideline document with some industry-agreed principles and policies. The fact that things are not coordinated today shouldn't prevent us from designing improvements for tomorrow. Perhaps some Certificate Consumers will decide to add the necessary development time and improve the existing implementations based on the SMBRs.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220826/9e70c5a4/attachment.html>