[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Rethink CRLs

To: spki@c2.org
Subject: Re: Rethink CRLs
From: Dan Molinelli <moline@gumby.dsd.TRW.COM>
Date: Thu, 08 Aug 1996 10:36:39 -0700
In-Reply-To: Your message of "Wed, 07 Aug 1996 15:13:01 EDT." <Pine.LNX.3.93.960807143738.5204A-100000@aardvark.zoo.net>
Sender: owner-spki@c2.org


i tend to not like CRLs. i've seen CRLs lists before within x.500
and if the CA has been compromised then ALL certs issued by that CA would
then be revocated. is it workable when CRLs get over some threshold?
(bulk file transfer via CMIP!!?)

i've seen ATT's PathServer for PGP certs. (from mike reiter)
( http://akpublic.research.att.com/~reiter/PathServer)
is something along that line worthwhile. e.g., online auth/sig verification?
(if the cert cannot be validated ('connected') in 'real time' then can it
be trusted? or do i care?)

developing a PKI for employees needs a requirement to revocate (transfer,
leave of absence, terminated etc.). short validity periods may work
but is an admin nightmare. CRLs may work - but how/does it scale?

later
dan

Follow-Ups:

Re: Rethink CRLs

From: "Buffam, William J TR" <bjb@trsvr.tr.unisys.com>

References:

Rethink CRLs

From: Marc Branchaud <marcnarc@zoo.net>

Prev by Date: Re: NIST involvement in PKI
Next by Date: Re: CRL format revision -Reply
Prev by thread: Re: Rethink CRLs
Next by thread: Re: Rethink CRLs
Index(es):
- Main
- Thread