[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Rethink CRLs
>I have to say that I really agree with Bob's "ON THE OTHER HAND" point
>about CRLs. In today's increasingly interconnected online world, CRLs
>make less and less sense. I think that online validation is the way to
>go, because it simplifies PKI management and it makes the most up-to-date
>information available to those who want it.
>Bob did throw one fly into the online ointment:
>On Wed, 7 Aug 1996, Bob Jueneman wrote:
>> The only real problem with this approach is that it cannot be done
>> in disconnected mode, i.e., if you want to validate a document while you
>> are flying at 30,000 feet and don't want to pay for the AirPhone time to
>> access your network.
>To this I would say that (a) you should cache validated certificates, just
>in case you can't get online, and/or (b) if what you're doing at 30k feet
>is important enough that you need that online validation, pay for the
>phone call! Or just wait until you can reconnect to the network.
Or, assuming your getting this document from somewhere on-line, if it's
important enough to be validated why don't you do the on-line validation at
the same time you download. You could then keep the document and
While I'm not prepared to say there is no need for CRLs, the implementation
I am looking at would be one supporting on-line validation.
Just my $.02.
Jeff Parrett (firstname.lastname@example.org)
The stars are the limit!