[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

cert IDs for CRLs and references within certs

Following the suggestion by Greg Rose to use hashes as pointers, a
certificate ID should be a hash of the certificate.

Ala SET, this could be a "thumb" -- a hash of the whole cert -- or it could
be a hash only of the subject key ID, issuer key ID and <auth> -- allowing
for the same hash to apply independent of changes in validity dates or
locations of subject keys and issuer certs.

I'm inclined to favor the latter, for both pointers from within certs (e.g.,
to the cert which gives the issuer the authority to issue the cert at hand)
and for CRLs.  The implication for CRL use is that one revokes not just a
single certificate but all certificates granting the given authorit(y)(ies)
(including delegation modifier).  That is, it's the authority being revoked
rather than a single certificate.

Does anyone have a strong preference in this issue?

 - Carl

|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                              http://www.cybercash.com/    |
|207 Grindall Street           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103       T:(410) 727-4288     F:(410)727-4293        |