[Smcwg-public] [EXTERNAL]-Re: Certificate Suspension
Pedro FUENTES
pfuentes at WISEKEY.COM
Fri Aug 26 14:38:48 UTC 2022
This what I said in my (probably poorly written) mail.
This is not about immediate validity, but about validity at the time of signature.
In doc signing this is solved by adding the revocation status to the signature data, and I doubt cert consumers would do that.
Therefore, although I personally support suspension in general, I don’t think is feasible in this case.
P
> Le 26 août 2022 à 16:26, Tim Hollebeek via Smcwg-public <smcwg-public at cabforum.org> a écrit :
>
>
> I would love to hear from Certificate Consumers whether they are / are not interested in improving suspension in these ways. If they are, then perhaps this is worth working on. If they aren’t, then it would likely be a wasted effort.
>
> While thinking about this a bit more last night, I realized that the experience is probably even more a nightmare than I had anticipated, as the correct implementation would need to check whether the certificate was suspended at the time the email was signed, not whether the certificate is currently suspended. I doubt it currently works that way in all current mail clients. Otherwise you can retroactively invalidate a whole bunch of signatures that happened way before whatever event triggered the need for temporary suspension. I don’t even want to think about all the games you can play with asking for your certificate to be suspended temporarily whenever you want to manipulate whether your historical signatures validate successfully or not.
>
> -Tim
>
> The SMCWG is about to create a new Guideline document with some industry-agreed principles and policies. The fact that things are not coordinated today shouldn't prevent us from designing improvements for tomorrow. Perhaps some Certificate Consumers will decide to add the necessary development time and improve the existing implementations based on the SMBRs.
>
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.cabforum.org_mailman_listinfo_smcwg-2Dpublic&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=-bX5hBm1IdRDykQ-dBR8tsFRCM4v1VXUyG7RZa2WqPY&m=PMqt7ItcI7EeoCkTw50-lhJvb_ZeCIKWMBCtkDqaB9A&s=kUu4WDWtTI8jqzgWN2kAOgvSgH3Lsee4_Ca5qjssKNY&e=
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220826/1a7c346d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3398 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220826/1a7c346d/attachment-0001.p7s>
More information about the Smcwg-public
mailing list