[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Rethink CRLs

To: Dan Molinelli <moline@gumby.dsd.TRW.COM>
Subject: Re: Rethink CRLs
From: "Buffam, William J TR" <bjb@trsvr.tr.unisys.com>
Date: Fri, 09 Aug 1996 09:35:23 -0400
Cc: spki@c2.org
Organization: Unisys
References: <9608081736.AA01885@gumby.dsd.TRW.COM>
Reply-To: bjb@trsvr.tr.unisys.com
Sender: owner-spki@c2.org

Dan Molinelli wrote:
> 
> i tend to not like CRLs. i've seen CRLs lists before within x.500
> and if the CA has been compromised then ALL certs issued by that CA would
> then be revocated. 

??????  Just leave the CA-issued certs alone. Revoke the CA's cert, then
when you validate the CA-issued cert's validation chain, it fails
because the CA's cert is revoked. What do you gain by revoking the
issued certs individually (and so on down the chain)?

-- 

Bill Buffam
Unisys, Malvern PA
bjb@trsvr.tr.unisys.com

References:

Re: Rethink CRLs

From: Dan Molinelli <moline@gumby.dsd.TRW.COM>

Prev by Date: Re: CRL format revision -Reply -Reply
Next by Date: Re: CRL format revision -Reply -Reply
Prev by thread: Re: Rethink CRLs
Next by thread: Re: Rethink CRLs
Index(es):
- Main
- Thread