Date: Mon, 13 Oct 1997 14:49:49 -0700 (PDT)
From: Hemma Prafullchandra <Hemma.Prafullchandra@Eng>
Subject: Re: Revoking bad certificates?
To: nick.battle@x400.icl.co.uk
Hello Nick,
--> I haven't seen any discussion about what happens if the
--> certificate used to sign an applet is revoked by the CA?
-->
In the next release of the JDK, beta coming out within a week or
so, we have added support for parsing certificate revocation list (CRL).
So, in the future you can check whether a certificate has been
revoked by getting the CRL from the appropriate CA and verifying
the certificate is not on the list.
--> For example, if an applet writer's private key is stolen by some
--> means (accidental or malicious) and the writer wants to revoke his
--> certificate to prevent people believing the thief's applets are
--> his, how is that "revocation event" circulated to all the applet
--> users (and who is responsible for its circulation)?
-->
--> Thanks,
--> -nick
If a public CA is involved then the CRL from that CA would be
the means of notifying the clients systems of compromised keys.
The client systems would have to retrieve the CRL and insist on
a check of all certificates against appropriate CRLs.
Regards,
Hemma Prafullchandra
JavaSoft security Group