[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

cert/CRL online database versus client ownership

To: Marc Branchaud <marcnarc@zoo.net>
Subject: cert/CRL online database versus client ownership
From: Carl Ellison <cme@cybercash.com>
Date: Thu, 08 Aug 1996 13:59:29 -0400
Cc: spki@c2.org
Sender: owner-spki@c2.org

At 03:13 PM 8/7/96 -0400, Marc Branchaud wrote:
>Subject: Re: Rethink CRLs
[...]
>To this I would say that (a) you should cache validated certificates, just
>in case you can't get online, and/or (b) if what you're doing at 30k feet
>is important enough that you need that online validation, pay for the
>phone call!  Or just wait until you can reconnect to the network.
>
>People/companies who want to save on their online costs could implement
>CRL-like caching schemes.  They could periodically retrieve
>CRLs/delta-CRLs according to their risk needs.  This way, they wouldn't
>have to depend on their CA's CRL policy, but could implement their own
>tailor-made solution.  The CA could just make the latest CRL available
>online and let the clients worry about distribution.

This is a question we've skirted all along.  We aren't defining a
distribution medium.  There are others doing that.  In all the cases I've
seen so far, it made sense for the client who wanted access to carry his own
certificates with him and present them on demand.  If you do that, there's
no need for a directory of certificates.

We know that X.500 came first and then X.509 came along to provide keys for
validating changes to the X.500 entries and then X.500 died and X.509 was
left on its own.  Could it be that the idea of a global directory is an
X.500 attribute which has been carried along without careful examination?

Is there any need for a global database of certificates?  The only case I've
heard of was the e-mail case -- where I want to send my old buddy an
encrypted message so I want to look up his key before I make contact.
AFAIK, that's an empty case -- since any global database will have names I
can't disambiguate, so I can't trust them for this purpose.

 - Carl

+--------------------------------------------------------------------------+
|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                              http://www.cybercash.com/    |
|207 Grindall Street           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103       T:(410) 727-4288     F:(410)727-4293        |
+--------------------------------------------------------------------------+

Prev by Date: Re: CRL format revision -Reply
Next by Date: CRL versys short-expiry
Prev by thread: Another suspenseful note
Next by thread: CRL versys short-expiry
Index(es):
- Main
- Thread