[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Rethink CRLs
At 09:35 AM 8/9/96 -0400, Buffam, William J TR wrote:
>Dan Molinelli wrote:
>>
>> i tend to not like CRLs. i've seen CRLs lists before within x.500
>> and if the CA has been compromised then ALL certs issued by that CA would
>> then be revocated.
>
>?????? Just leave the CA-issued certs alone. Revoke the CA's cert, then
>when you validate the CA-issued cert's validation chain, it fails
>because the CA's cert is revoked. What do you gain by revoking the
>issued certs individually (and so on down the chain)?
We discussed this a bit ago -- maybe off-list. Revocation of a cert needs a
meaning just as a cert needs a meaning.
You need to know if the private key has been compromised -- and if so, when.
In particular, you need to know during what time period the private key was
valid in spite of its later compromise -- so that certs issued in that
period remain valid.
Then again, maybe it wasn't a private key compromise. Maybe the CA had an
employee from April 10, 1996 and July 19, 1996 who issued some certificates
improperly -- until he was caught and fired.
+--------------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc. http://www.cybercash.com/ |
|207 Grindall Street PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 |
+--------------------------------------------------------------------------+