- From: <michael.mccormick@wellsfargo.com>
- Date: Wed, 2 Apr 2008 12:09:32 -0500
- To: <tlr@w3.org>, <dan.schutzer@fstc.org>
- Cc: <stephen.farrell@cs.tcd.ie>, <public-wsc-wg@w3.org>
What if we add a clarifying statement something like: "The user agent MUST NOT use an expired certificate for any purpose in which it would not use a revoked certificate." I'd like to hear Phill's views on this. Mike -----Original Message----- From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of Thomas Roessler Sent: Wednesday, April 02, 2008 11:58 AM To: Dan Schutzer Cc: 'Stephen Farrell'; 'W3 Work Group' Subject: Re: Odd/bad sentence in 5.4.1 Actually, you can't tell the difference. If a certificate has is beyond its validity period, the CA takes no responsibility to make status information available; the certificate may even have been removed from the CRL. The basic idea of relaxed path validation is actually in the "Otherwise..." phrase of the same paragraph: Otherwise, the fact that a certificate is outside its validity period SHOULD be communicated using error signalling of class warning (6.4.3 Warning/Caution Messages ). Maybe that should actually say "at most warning" or "just notification" or something like that. The text that Stephen spotted is the flip side: *If* there are validity checks, then please do them thoroughly and treat expiration as the hard error. If you don't do the validity checks, then don't bother with expiry checks. -- Thomas Roessler, W3C <tlr@w3.org> On 2008-04-02 12:51:26 -0400, Dan Schutzer wrote: > From: Dan Schutzer <dan.schutzer@fstc.org> > To: 'Stephen Farrell' <stephen.farrell@cs.tcd.ie>, > 'W3 Work Group' <public-wsc-wg@w3.org> > Date: Wed, 2 Apr 2008 12:51:26 -0400 > Subject: RE: Odd/bad sentence in 5.4.1 > List-Id: <public-wsc-wg.w3.org> > X-Spam-Level: > Authentication-Results: mx.google.com; spf=pass (google.com: domain of > public-wsc-wg-request@listhub.w3.org designates 128.30.52.56 as permitted sender) > smtp.mail=public-wsc-wg-request@listhub.w3.org > Archived-At: <http://www.w3.org/mid/01f701c894e1$cb94faf0$6400a8c0@dschutzer> > X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.1.6 > > > I agree, in the case presented the certificate has expired. It hasn't been > revoked. > > -----Original Message----- > From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On > Behalf Of Stephen Farrell > Sent: Wednesday, April 02, 2008 12:38 PM > To: W3 Work Group > Subject: Odd/bad sentence in 5.4.1 > > > > We didn't get to it on today's call, and I'll forget before the > next one, but I don't like the following sentence: > > "If certificate status checks are performed by a user agent, and a > certificate is found to be outside its validity period, then the > certificate MUST be considered revoked." > > Revocation and validity periods aren't the same and I don't > see any reason to mix them up like this. For example, depending on > how a UA handled "considered revoked" the above could mean that a > cert that isn't yet valid will continue to be treated as revoked > even after the clock catches up with the notBefore field. That'd > be bad and non-compliant with x.509/rfc3280. > > Plus, I really liked the relaxed validation which seems to have > disappeared (maybe at the last f2f?), and would be ruled out > by that sentence. > > My suggestion: re-instate relaxed validation and delete the > above sentence. > > S. > > > > >
Received on Wednesday, 2 April 2008 17:20:58 UTC