[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Rethink CRLs

At 09:35 AM 8/9/96 -0400, Buffam, William J TR wrote:
>Dan Molinelli wrote:
>> i tend to not like CRLs. i've seen CRLs lists before within x.500
>> and if the CA has been compromised then ALL certs issued by that CA would
>> then be revocated. 
>??????  Just leave the CA-issued certs alone. Revoke the CA's cert, then
>when you validate the CA-issued cert's validation chain, it fails
>because the CA's cert is revoked. What do you gain by revoking the
>issued certs individually (and so on down the chain)?

We discussed this a bit ago -- maybe off-list.  Revocation of a cert needs a
meaning just as a cert needs a meaning.

You need to know if the private key has been compromised -- and if so, when.
In particular, you need to know during what time period the private key was
valid in spite of its later compromise -- so that certs issued in that
period remain valid.

Then again, maybe it wasn't a private key compromise.  Maybe the CA had an
employee from April 10, 1996 and July 19, 1996 who issued some certificates
improperly -- until he was caught and fired.

|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                              http://www.cybercash.com/    |
|207 Grindall Street           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103       T:(410) 727-4288     F:(410)727-4293        |