[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Rethink CRLs

i tend to not like CRLs. i've seen CRLs lists before within x.500
and if the CA has been compromised then ALL certs issued by that CA would
then be revocated. is it workable when CRLs get over some threshold?
(bulk file transfer via CMIP!!?)

i've seen ATT's PathServer for PGP certs. (from mike reiter)
( http://akpublic.research.att.com/~reiter/PathServer)
is something along that line worthwhile. e.g., online auth/sig verification?
(if the cert cannot be validated ('connected') in 'real time' then can it
be trusted? or do i care?)

developing a PKI for employees needs a requirement to revocate (transfer,
leave of absence, terminated etc.). short validity periods may work
but is an admin nightmare. CRLs may work - but how/does it scale?


Follow-Ups: References: