Re: Digital Certification Revocation



On Wed, Sep 16, 2009 at 06:53:26PM +0200, M.D.Mufambisi spake thusly:
Another question from yours truly. When someone has a digital
certificate, and then passes away (dies) how does the Revocation
authority get to know about this so as to disallow further use of that
persons digital cert?

The authority needs to be sent a revocation request signed by the
certificate being revoked. It is good practice to generate this
revocation request at key generation time and keep it in a safe
place. This is because if the signing key is lost such that no signed
revocation certificate can be generated it becomes impossible to
revoke.

Similarly, if the private signing key is encrypted and the owner of
the key takes the password to their grave it is impossible to generate
a revocation certificate.

--
Tracy Reed
http://tracyreed.org

Attachment: pgpIt7lN68GE7.pgp
Description: PGP signature



Relevant Pages

  • RE: Digital Certification Revocation
    ... Subject: Digital Certification Revocation ... certificate, and then passes away how does the Revocation ... This is because if the signing key is lost such that no signed ...
    (Security-Basics)
  • Re: Smart Card Logon Failure with Windows 2003 Server (works with Windows 2000 server)
    ... certificate could not be validated because the revocation ... The error message from the event log on the CDC is in the ... revocation function was unable to check revocation because ... >> the CRL is downloaded. ...
    (microsoft.public.win2000.security)
  • Re: certificate revocation error
    ... The CA is poorly configured and does not include revocation information in its issued certificates. ... I have configured IAS and also certificate server as Enterprise ... CN=TEST DSL Gateway Device Root Certificate Authority ... CN=TEST DSL Gateway Device Root Certificate Authority, ...
    (microsoft.public.win2000.security)
  • Re: Wired 802.1x Questions
    ... IAS allows EAP-TLS clients to connect even when it does ... not perform or cannot complete a revocation check of the client's ... certificate chain. ...
    (microsoft.public.windows.server.security)
  • Re: The better option would be to build an X509Chain object and use the various
    ... /// Get Revocation Status of Client Certificate by using CRL. ... how to see if a certificate is revoked in a CRL (revocation list)? ...
    (microsoft.public.dotnet.security)