[Smcwg-public] Certificate Suspension

Russ Housley housley at vigilsec.com
Wed Aug 24 21:16:56 UTC 2022 

I tend to agree with Stephen.  I am unaware of any S/MIME client software that would handle a certificate suspension any differently that a revocation.

Russ


> On Aug 24, 2022, at 3:00 PM, Stephen Davidson via Smcwg-public <smcwg-public at cabforum.org> wrote:
> 
> Hi Ben:
>  
> Thanks for the comment.  
>  
> I believe that support for suspension is not appropriate for the publicly-trusted S/MIME for the following reasons:
>  
> For S/MIME recipients this could be confusing, for example in the case that a signature on an email could be valid or not on different days, with no explanation. The CABF stance for publicly-trusted certificates has been that once a certificate is "bad" on a CRL it can't be "unbad".
> For Certificate Issuers, this could also create undesired inconsistency in revocation handling across publicly-trusted certificate types, particularly in light of the changes implemented recently to create CRL consistency under the Mozilla policy for TLS.
> For Certificate Consumers, we have no known “default” for how revocation checking is performed in client software, or how the certificateHold revocation code is treated.
>  
> I recall the WG did review this draft section about a year ago, but as there was no comment (often the case with ‘pick ups’ from other CABF standards) the topic is not specifically acknowledged in the minutes.
>  
> Best, Stephen
>  
>  
>  
>  
> From: Smcwg-public <smcwg-public-bounces at cabforum.org <mailto:smcwg-public-bounces at cabforum.org>> On Behalf Of Ben Wilson via Smcwg-public
> Sent: Wednesday, August 17, 2022 2:44 PM
> To: SMIME Certificate Working Group <smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org>>
> Subject: [Smcwg-public] Certificate Suspension
>  
> Question - did we previously discuss and decide on "Certificate Suspension"?
>  
> The draft I'm looking at says, "### 4.9.13 Circumstances for suspension
> The Repository SHALL NOT include entries that indicate that a Certificate is suspended."
>  
> Don't some legacy implementations allow suspension?
>  
> Thanks,
>  
> Ben
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org <mailto:Smcwg-public at cabforum.org>
> https://lists.cabforum.org/mailman/listinfo/smcwg-public <https://lists.cabforum.org/mailman/listinfo/smcwg-public>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220824/0feb4746/attachment.html>

More information about the Smcwg-public mailing list