[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CRL format revision -Reply

Bob Jueneman writes:

> As long as you are departing substantially form the X.509
> certificate format, you should perhaps consider departing from the
> CRL paradigm entirely, and moving to an on-line, positive acknowledgment
> of the validity of a signature/certificate.

The whole point of public key cryptography is to remove the need for on-line
services which mediate the establishment of secure communications.   By 
requiring a trusted directory service (or validation or whatever you want to
call it) to be available you would defeating any advantages of public key.
> The ideal solution to the overall problem would be some scheme that would 
> distribute base-level CRLs on a CD-ROM-of-the-month, plus delta CRLS 
> that could be downloaded according to the relying party's perceived 
> risk, plus an on-line positive validation scheme for near real-time, high-value
> transactions.

I know there is a great anti-X.500 sentiment in this group, but isn't this what 
X.500 already provides.   Latest copies of certificates are available in the 
Directory - so if you have on-line access you can pull it off from there (this
assumes that CAs pull revoked certificates from the Directory), CRLs are 
periodically distributed and lodged in the Directory from which they can be
retrieved at any time.

Now about this wheel thingy... how about if we make it square... it would be
easier to implement that way....


Michael Warner
Telstra Research Labs