pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

CRL's

1993-06-13 20:39:00
from [TCJones] [Permanent Link] 
Sead Muftic



3.  When you receive the PEM letter from someone, it will contain two

certificates:  partner's and his/her CA's.  If that is not enough for
verification (since these may belong, completely or partially, to a
certificate path outside of yours), PEM user agent will automatically
send special Certificate request letter to the first CA in your
partner's path whose certificate is missing.  The reply will contain the
required, plus all certificates up to the top of the partner's path.
When received, all these certificates will be again verified and stored
in your database.

This is a point I still do not understand -- HOW DOES THE RECIPIENT OF A
PEM MESSAGE KNOW WHERE TO SEND A REQUEST FOR A CERTIFICATE OR A CRL?
All that PEM puts in the message is the Distinguished Name of the CA.
Where will the "PEM user agent" go "automatically" to get the required
certificate?

--- Next thought


From RFC1422


   The certificate of the originator is (optionally)
   included in the header in the Certificate field as described in RFC
   1421.  This is done in order to facilitate validation in the absence
   of ubiquitous directory services.  Upon receipt of a privacy enhanced
   message, a recipient validates the originator's certificate (using
   the IPRA public component as the root of a certification path),
   checks to ensure that it has not been revoked, extracts the public
   component from the certificate, and uses that value to recover
   (decrypt) the MIC.

If the PEM user agent "really" needs a current CRL, I can see why there
is no reason to put a certificate into a PEM message, since the
recipient can NEVER trust a certificate without looking for ALL
hierarchical CRL's.....  Or am I missing something obvious.

--- Next thought

Imagine this..  A company employee is certified by the company.  (As I
understand it, this is the standard way to go.)  The company issues a PO
signed by the employee.  Until the next time that someone requests a CRL
the company seems to have the right to list the employee's certificate
on its CRL.  Therefore it would seem that unless the CRL is requested
immediately prior to accepting a PEM message, the PEM message can
legitimately be repudiated by the company.  Please show me how this
logic fails.


Tom Jones - ViaCrypt div.  of Lemcom Sys
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: (Non-PEM) self-signed certifi, Hoyt Kesterson
Next by Date:  Re: (Non-PEM) self-signed certificate, Carl Ellison
Previous by Thread:  CRL's, TCJones
Next by Thread:  Re: CRL's, Steve Kent
Indexes:  [Date] [Thread] [Top] [All Lists]