[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Rethink CRLs


I have to say that I really agree with Bob's "ON THE OTHER HAND" point
about CRLs.  In today's increasingly interconnected online world, CRLs
make less and less sense.  I think that online validation is the way to
go, because it simplifies PKI management and it makes the most up-to-date
information available to those who want it.

Bob did throw one fly into the online ointment:

On Wed, 7 Aug 1996, Bob Jueneman wrote:
> The only real problem with this approach is that it cannot be done 
> in disconnected mode, i.e., if you want to validate a document while you
> are flying at 30,000 feet and don't want to pay for the AirPhone time to
> access your network.

To this I would say that (a) you should cache validated certificates, just
in case you can't get online, and/or (b) if what you're doing at 30k feet
is important enough that you need that online validation, pay for the
phone call!  Or just wait until you can reconnect to the network.

People/companies who want to save on their online costs could implement
CRL-like caching schemes.  They could periodically retrieve
CRLs/delta-CRLs according to their risk needs.  This way, they wouldn't
have to depend on their CA's CRL policy, but could implement their own
tailor-made solution.  The CA could just make the latest CRL available
online and let the clients worry about distribution.


Version: 2.6.3ia
Charset: noconv