[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Rethink CRLs

>I have to say that I really agree with Bob's "ON THE OTHER HAND" point
>about CRLs.  In today's increasingly interconnected online world, CRLs
>make less and less sense.  I think that online validation is the way to
>go, because it simplifies PKI management and it makes the most up-to-date
>information available to those who want it.
>Bob did throw one fly into the online ointment:
>On Wed, 7 Aug 1996, Bob Jueneman wrote:
>> The only real problem with this approach is that it cannot be done
>> in disconnected mode, i.e., if you want to validate a document while you
>> are flying at 30,000 feet and don't want to pay for the AirPhone time to
>> access your network.
>To this I would say that (a) you should cache validated certificates, just
>in case you can't get online, and/or (b) if what you're doing at 30k feet
>is important enough that you need that online validation, pay for the
>phone call!  Or just wait until you can reconnect to the network.

Or, assuming your getting this document from somewhere on-line, if it's
important enough to be validated why don't you do the on-line validation at
the same time you download. You could then keep the document and
certificate together.

While I'm not prepared to say there is no need for CRLs, the implementation
I am looking at would be one supporting on-line validation.

Just my $.02.


Jeff Parrett (starman@llnl.gov)
The stars are the limit!