W3C home > Mailing lists > Public > public-webcrypto@w3.org > August 2012

Re: crypto-ISSUE-16: Definition for Key Expiration [Web Cryptography API]

From: Ryan Sleevi <sleevi@google.com>
Date: Sun, 5 Aug 2012 22:12:16 -0700
Message-ID: <CACvaWvaVUAjNmPJ7CazySBa81ek8Y00C5h=bGi=Zz_OfohT6LQ@mail.gmail.com>
To: Mountie Lee <mountie@paygate.net>
Cc: Web Cryptography Working Group <public-webcrypto@w3.org>, David Dahl <ddahl@mozilla.com>, Vijay Bharadwaj <Vijay.Bharadwaj@microsoft.com>
On Sun, Aug 5, 2012 at 9:58 PM, Mountie Lee <mountie@paygate.net> wrote:
> Hi.
> for determining key expiration,
> are CRL or OCSP in scope of low level api?
>
> regards
> mountie.

No. CRL and OCSP represent high-level protocols, and are only relevant
in the context of a specific certificate.

For example, a given key may have multiple certificates associated
with it (crypto-ISSUE-15). As such, it's possible to imagine a
scenario where one of the certificates has been revoked by the issuer,
while another has it still valid.

This is similar to the issue I note with overlapping validity dates.

With the low-level API, however, it's certainly possible to integrate
a CRL or OCSP checker, if there is a particular certificate to be
checked. The low-level API provides sufficient primitives that,
combined with XMLHttpRequest, an application could generate an OCSP
request, or parse a CRL or OCSP response.

Regards,
Ryan
Received on Monday, 6 August 2012 05:12:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 6 August 2012 05:12:44 GMT