[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CRL format revision
In off-list conversation it became clear that the validity field of a CRL
should be an expiration datime rather than a CRL lifetime. This is the
datime after which you need to go fetch a new CRL but prior to which you can
use the one you have cached.
We also need to provide for delta-CRLs (the only way CRLs make performance
sense, IMHO) -- and that means we need to be able to refer back to one CRL
in a sequence of CRLs.
The reason field makes sense, but I would suggest that it be optional.
We probably also want to make room for ECR validity, as an optional field.
This gives us a more mature CRL:
begin: <comment>
issuer: <key ID>
CRL-sequence: <int>
revoke: <cert ID>,<reason>
[... more revocation lines...]
expires: <date>
CRL-ECR-params: <F>,<V>
end: <comment>
signature: <....>
or, for a delta-CRL,
begin: <comment>
issuer: <key ID>
CRL-sequence: <int>
Delta-from-CRL: <int>
revoke: <cert ID>,<reason>
[... more revocation lines...]
expires: <date>
CRL-ECR-params: <F>,<V>
end: <comment>
signature: <....>
where <reason> could be encoded, for any readily agreed-upon list of
possible reasons, with a text escape; or could be just raw text. I'm
inclined to favor raw (possibly empty) text because I don't imagine a
verifying program second-guessing the CRL about the cert's validity based on
the <reason>. OTOH, an encoding of common reasons saves space.
<cert ID>, based on Brian's reasoning, would be the hash of a full cert --
in SET terms, a 'thumb'.
CRL-sequence: gives the sequence number (sequential for that issuer) of the
current CRL.
delta-from-CRL: <int> gives the sequence number of a prior CRL to be
considered incorporated by reference.
If ECR is in use, then we can have a one-line empty delta-CRL of the form:
ECR-empty-delta: <S>,<D>,<V'>
where <S> is the current CRL-sequence, <D> is the Delta-from-CRL, and <V'>
is the (S-D)'th pre-image of the <V> given in the CRL numbered D. This one
line form is valid only when the delta-CRL is empty. {<F> is the name of
the hash algorithm.}
- Carl
+--------------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc. http://www.cybercash.com/ |
|207 Grindall Street PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 |
+--------------------------------------------------------------------------+