[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Rethink CRLs

> developing a PKI for employees needs a requirement to revocate (transfer,
> leave of absence, terminated etc.). short validity periods may work
> but is an admin nightmare. CRLs may work - but how/does it scale?

This was my initial reaction also.  However, as I have noted in recent
messages, I believe we have a lot of the short expiry problems tamed,
if not entirely vanquished.  Section 6.1 of the draft supports automating
the revalidation of an expired certificate.  I believe it can be shown
that this automation can be done without compromising security.

Brian Thomas - Distributed Systems Architect  bt0008@entropy.sbc.com
Southwestern Bell                             bthomas@primary.net
One Bell Center,  Room 23Q1                   Tel: 314 235 3141
St. Louis, MO 63101                           Fax: 314 331 2755