RE: Odd/bad sentence in 5.4.1

What if we add a clarifying statement something like:

"The user agent MUST NOT use an expired certificate for any purpose in
which it would not use a revoked certificate."

I'd like to hear Phill's views on this.  Mike


-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Thomas Roessler
Sent: Wednesday, April 02, 2008 11:58 AM
To: Dan Schutzer
Cc: 'Stephen Farrell'; 'W3 Work Group'
Subject: Re: Odd/bad sentence in 5.4.1


Actually, you can't tell the difference.  If a certificate has is beyond
its validity period, the CA takes no responsibility to make status
information available; the certificate may even have been removed from
the CRL.

The basic idea of relaxed path validation is actually in the
"Otherwise..." phrase of the same paragraph:

  Otherwise, the fact that a certificate is outside its validity
  period SHOULD be communicated using error signalling of class
  warning (6.4.3 Warning/Caution Messages ).

Maybe that should actually say "at most warning" or "just notification"
or something like that.

The text that Stephen spotted is the flip side: *If* there are validity
checks, then please do them thoroughly and treat expiration as the hard
error.  If you don't do the validity checks, then don't bother with
expiry checks.

--
Thomas Roessler, W3C  <tlr@w3.org>





On 2008-04-02 12:51:26 -0400, Dan Schutzer wrote:
> From: Dan Schutzer <dan.schutzer@fstc.org>
> To: 'Stephen Farrell' <stephen.farrell@cs.tcd.ie>,
> 	'W3 Work Group' <public-wsc-wg@w3.org>
> Date: Wed, 2 Apr 2008 12:51:26 -0400
> Subject: RE: Odd/bad sentence in 5.4.1
> List-Id: <public-wsc-wg.w3.org>
> X-Spam-Level: 
> Authentication-Results: mx.google.com; spf=pass (google.com: domain of
> 	public-wsc-wg-request@listhub.w3.org designates 128.30.52.56 as
permitted sender)
> 	smtp.mail=public-wsc-wg-request@listhub.w3.org
> Archived-At:
<http://www.w3.org/mid/01f701c894e1$cb94faf0$6400a8c0@dschutzer>
> X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.1.6
> 
> 
> I agree, in the case presented the certificate has expired. It hasn't
been
> revoked.
> 
> -----Original Message-----
> From: public-wsc-wg-request@w3.org
[mailto:public-wsc-wg-request@w3.org] On
> Behalf Of Stephen Farrell
> Sent: Wednesday, April 02, 2008 12:38 PM
> To: W3 Work Group
> Subject: Odd/bad sentence in 5.4.1
> 
> 
> 
> We didn't get to it on today's call, and I'll forget before the
> next one, but I don't like the following sentence:
> 
> "If certificate status checks are performed by a user agent, and a
> certificate is found to be outside its validity period, then the
> certificate MUST be considered revoked."
> 
> Revocation and validity periods aren't the same and I don't
> see any reason to mix them up like this. For example, depending on
> how a UA handled "considered revoked" the above could mean that a
> cert that isn't yet valid will continue to be treated as revoked
> even after the clock catches up with the notBefore field. That'd
> be bad and non-compliant with x.509/rfc3280.
> 
> Plus, I really liked the relaxed validation which seems to have
> disappeared (maybe at the last f2f?), and would be ruled out
> by that sentence.
> 
> My suggestion: re-instate relaxed validation and delete the
> above sentence.
> 
> S.
> 
> 
> 
> 
> 

Received on Wednesday, 2 April 2008 17:20:58 UTC