[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: cert IDs for CRLs and references within certs




> Following the suggestion by Greg Rose to use hashes as pointers, a
> certificate ID should be a hash of the certificate.
> 
> Ala SET, this could be a "thumb" -- a hash of the whole cert -- or it could
> be a hash only of the subject key ID, issuer key ID and <auth> -- allowing
> for the same hash to apply independent of changes in validity dates or
> locations of subject keys and issuer certs.
> 
> I'm inclined to favor the latter, for both pointers from within certs (e.g.,
> to the cert which gives the issuer the authority to issue the cert at hand)
> and for CRLs.  The implication for CRL use is that one revokes not just a
> single certificate but all certificates granting the given authorit(y)(ies)
> (including delegation modifier).  That is, it's the authority being revoked
> rather than a single certificate.
> 
> Does anyone have a strong preference in this issue?

It pays sometimes to let your mail pile up; you answered the questions I
was about to ask after reading your last note.

I was similarly inclined to you in this matter, though from the X.509
world and our internally-developed group permissions scheme the
revocation applied to a specific expression (e.g. certificate) of a
privilege binding than to the binding itself.  This was largely due to
the fact that if you revoked the privilege, it would be devilishly hard
to reinstate, if ever you wished to do that.  If only the certificate
itself were expressly revoked, reinstatement would be simple.  We tried
other ways to do this and eventually decided that specific revocation of
a specific expression was the only thing that worked well for us.

Any other opinions?

Brian Thomas - Distributed Systems Architect  bt0008@entropy.sbc.com
Southwestern Bell                             bthomas@primary.net
One Bell Center,  Room 23Q1                   Tel: 314 235 3141
St. Louis, MO 63101                           Fax: 314 331 2755