[Smcwg-public] Certificate Suspension
Stephen Davidson
Stephen.Davidson at digicert.com
Wed Aug 24 19:00:23 UTC 2022
Hi Ben:
Thanks for the comment.
I believe that support for suspension is not appropriate for the publicly-trusted S/MIME for the following reasons:
* For S/MIME recipients this could be confusing, for example in the case that a signature on an email could be valid or not on different days, with no explanation. The CABF stance for publicly-trusted certificates has been that once a certificate is "bad" on a CRL it can't be "unbad".
* For Certificate Issuers, this could also create undesired inconsistency in revocation handling across publicly-trusted certificate types, particularly in light of the changes implemented recently to create CRL consistency under the Mozilla policy for TLS.
* For Certificate Consumers, we have no known “default” for how revocation checking is performed in client software, or how the certificateHold revocation code is treated.
I recall the WG did review this draft section about a year ago, but as there was no comment (often the case with ‘pick ups’ from other CABF standards) the topic is not specifically acknowledged in the minutes.
Best, Stephen
From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Ben Wilson via Smcwg-public
Sent: Wednesday, August 17, 2022 2:44 PM
To: SMIME Certificate Working Group <smcwg-public at cabforum.org>
Subject: [Smcwg-public] Certificate Suspension
Question - did we previously discuss and decide on "Certificate Suspension"?
The draft I'm looking at says, "### 4.9.13 Circumstances for suspension
The Repository SHALL NOT include entries that indicate that a Certificate is suspended."
Don't some legacy implementations allow suspension?
Thanks,
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220824/fb651018/attachment.html>
More information about the Smcwg-public
mailing list