[Smcwg-public] Certificate Suspension
Doug Beattie
doug.beattie at globalsign.com
Thu Aug 25 17:43:57 UTC 2022
Then maybe it could/should work like this?
- Sender sends a signed message
- The Sender's certificate gets suspended
- Recipient tries to verify the signature and is told that
the Sender's certificate is SUSPENDED
- The Sender's certificate gets unsuspended
- Recipient tries to verify the signature from a save folder
and is told that the signature is fine
-----Original Message-----
From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Russ
Housley via Smcwg-public
Sent: Thursday, August 25, 2022 1:30 PM
To: Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>
Cc: SMIME Certificate Working Group <smcwg-public at cabforum.org>
Subject: Re: [Smcwg-public] Certificate Suspension
Dimitris:
>> I tend to agree with Stephen. I am unaware of any S/MIME client software
that would handle a certificate suspension any differently that a
revocation.
>
> Which is perfectly fine and expected when a certificate is "suspended"
(i.e. not to be trusted at time of verification). If a S/MIME client
software wants to provide some kind of different UI message like "this
certificate is currently suspended" instead of "the signing certificate is
revoked" and explain what that means, IMO that would be an improvement
similar to what's happening with the server TLS user agents providing
different user experience depending on the revocationReason code.
This is a topic that has been discussed over and over since the mid 1990s.
It never gets consensus in either direction. I predict that will be the
case here too.
I worry about the following series of events leads to confused user:
- Sender sends a signed message
- The Sender's certificate gets suspended
- Recipient tries to verify the signature and is told that
the Sender's certificate is revoked
- The Sender's certificate gets unsuspended
- Recipient tries to verify the signature from a save folder
and is told that the signature is fine
A normal human will not understand what happened.
Russ
_______________________________________________
Smcwg-public mailing list
Smcwg-public at cabforum.org
https://lists.cabforum.org/mailman/listinfo/smcwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220825/1a54bf77/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8404 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220825/1a54bf77/attachment-0001.p7s>
More information about the Smcwg-public
mailing list