OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [pki-tc] OCSP question


Stephen,

>Given the legal (and medico-legal) issues involved in the above two cases,
>I am certain there is a very strong business case for a service which can
>tell the revocation status of a given certificate at any time in the past.

I don't fully understand why the repository/notary cannot do the OCSP call
and save the _signed_ validation result when the user's signature is supposed
to be stored rather than relied upon.  By saving CRLs or OCSP responses
for the signature receive time, the need for "historical" validation services is
eliminated as well as dependencies on "living" CAs.

If you on top of that put time-stamps, possible re-signed every
10-20 years using the signing technology of that time, you have a
sound foundation for cryptographically secured long-term storage
of signatures and data.

To my knowledge schemes like above is at least in current PKI literature
considered as state-of-the-art.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]