- From: Blair Dillaway <blaird@microsoft.com>
- Date: Wed, 6 Mar 2002 15:20:55 -0800
- To: "Mike Just" <Mike.Just@entrust.com>, "Hallam-Baker, Phillip" <pbaker@verisign.com>, <reagle@w3.org>, <stephen.farrell@baltimore.ie>, <www-xkms@w3.org>
- Message-ID: <AA19CFCE90F52E4B942B27D42349637902CDCF2E@red-msg-01.redmond.corp.microsoft.com>
I'll argue for keeping this general to support the types of cases described below. We should be able to return valid, and the interval during which it should remain valid. Return invalid with an indication of what interval in the past it was valid or what time in the future it might become valid. This also raises the issue of expressing open intervals. Seems reasonable these are captured by only supplying a NotBefore or NotAfter datetime. Should be documented. Blair -----Original Message----- From: Mike Just [mailto:Mike.Just@entrust.com] Sent: Wednesday, March 06, 2002 6:45 AM To: 'Hallam-Baker, Phillip'; 'reagle@w3.org'; 'stephen.farrell@baltimore.ie'; www-xkms@w3.org Subject: RE: status of the nation... Actually, the end date for the invalidity period may not have to do with revocation or suspension. For example, suppose that I'm issued a certificate on Sunday that does not become valid until Monday. If, on Sunday, someone wants to validate my certificate, I assume that the response could say that it is invalid....until Monday. The client could simply treat as invalid, or could be designed to come back at a later time (though I can't imagine designing software to do this). In any case, the end date for the validity period would make sense. Alternatively, one might say that the validation response could include a validity interval with a start date of Monday. However, this wouldn't be a "valid" response since as of the current time, the certificate would not be considered valid. Mike -----Original Message----- From: Hallam-Baker, Phillip [mailto:pbaker@verisign.com] Sent: Tuesday, March 05, 2002 1:48 PM To: 'reagle@w3.org'; Hallam-Baker, Phillip; 'stephen.farrell@baltimore.ie'; www-xkms@w3.org Subject: RE: status of the nation... The only case in which it could arise is if the backing PKI is X.509 and the certificate enquired about is in suspend status. Under X.509v3 rules the certificate is Invalid from the date specified in the CRL to the date of the next CRL. When the next CRL is issued the cert might be reinstated or might still be suspended. Phill Phillip Hallam-Baker FBCS C.Eng. Principal Scientist VeriSign Inc. pbaker@verisign.com 781 245 6996 x227 > -----Original Message----- > From: Joseph Reagle [mailto:reagle@w3.org] > Sent: Tuesday, March 05, 2002 1:42 PM > To: Hallam-Baker, Phillip; 'stephen.farrell@baltimore.ie'; > www-xkms@w3.org > Subject: Re: status of the nation... > > > On Tuesday 05 March 2002 13:02, Hallam-Baker, Phillip wrote: > > In most cases then a responder sending back invalid would > be expected to > > send back a start date with no end date. But it is possible that a > > responder would need to send back invalid with a validity > interval closed > > at both ends. > > Why would that be? What does it mean if it is closed for the time > afterwards? (Regardless, the answer should be documented.) > > -- > > Joseph Reagle Jr. http://www.w3.org/People/Reagle/ > W3C Policy Analyst mailto:reagle@w3.org > IETF/W3C XML-Signature Co-Chair http://www.w3.org/Signature/ > W3C XML Encryption Chair http://www.w3.org/Encryption/2001/ >
Received on Wednesday, 6 March 2002 18:21:40 UTC