Hi Oscar and Jesus Your document says "it is highly recommended that only End Entities revoke their own Proxy Certificates. If a third party is required to perform this process (i.e. resource owners and local security administrators), it is recommended to notify of such revocation the corresponding End Entity from the Proxy Validation Path so appropriate counteractive actions can take place. However, as mentioned previously, third party revocation is not a recommended practice from a security point of view." I would actually go further than you do, and say that no-one is allowed to revoke a proxy certificate except its creator or an authorised delegate of the creator. Allowing anyone else to revoke a proxy is equivalent of allowing a DOS attack on the proxy. On the other hand, a resource owner is the source of authority for his own resource, and can trust or distrust any certs that he wants to (PKC and AC). Therefore a resource owner can blacklist anything from using his resource. But this is not revocation of a proxy cert, since the proxy cert is still authentic and can still be used at other resources that trust it. It simply isnt valid for use at the local resource. Revocation on the other hand ensures that no-one should trust the proxy cert, since the issuer is saying that it is no longer valid. regards David jluna@ac.upc.edu wrote:
Hi! You will find attached to this message our proposed text for the Proxy Revocation topic, taking into account some comments from D. Chadwick as mentioned in the teleconferece.
Best regards, Oscar & Jesus
-- ***************************************************************** David W. Chadwick, BSc PhD Professor of Information Systems Security The Computing Laboratory, University of Kent, Canterbury, CT2 7NF Tel: +44 1227 82 3221 Fax +44 1227 762 811 Mobile: +44 77 96 44 7184 Email: D.W.Chadwick@kent.ac.uk Home Page: http://www.cs.kent.ac.uk/people/staff/dwc8/index.html Research Web site: http://sec.cs.kent.ac.uk Entrust key validation string: MLJ9-DU5T-HV8J PGP Key ID is 0xBC238DE5 *****************************************************************