[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [imi] Philosophical questions
If a certificate doesn't chain to a valid root the Public Key is used to generate the Client Pseudonym rather than the values from the DN. I have been asked by someone if case 3 should be used for expired and revoked certificates. I think the answer is no they still chain to a trusted root even though they may not be trusted themselves. This is slightly counter intuitive, but is due to the fact that changing the PPID breaks the P-Card for that site. If the user overrides a selector warning and indicates a policy override of some sort for the site than the PPID should remain the same and the card should continue to work at the site. Some selectors who shall go unnamed may want to add some user dialog around this. Though that is outside of the spec. John B. On 2-Apr-09, at 12:51 PM, Scott Cantor wrote:
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]