[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CRL formats

Carl Ellison and I have been discussing CRL formats.
>At 11:02 PM 8/11/96 -0700, Bill Stewart wrote:
>>You probably don't need post-dated CRLs, but you may need back-dated ones
>>for after-the-fact dispute resolution.  For instance, if there's an
>>argument about whether CRL Carol's certification of Bob was valid
>>at 12:34 Thursday 6/7 when Alice used it, having an "effective now" CRL
>>isn't very useful; having an "Effective now 11:00 GMT Thursday 6/7" is.

An effective-date lets you decide after the fact whether you were
using the right CRL, and if there are multiple CRLs "effective now",
it lets you choose the right one; an effective-until date doesn't do that.
(Ideally, you won't have overlapping CRLs, but in practice it may
help to distribute the new CRL before the old one has expired,
especially if you're using incrementals or communications are slow,
or if an important cert needs to be revoked.)

Aside from use in court, there are other times you may want to know:
troubleshooting (from a user standpoint as well as software debugging),
possibly billing purposes, and (less likely) resolving security leaks,
though denial-of-service is the main active threat.

#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
# <A HREF="http://idiom.com/~wcs"> 	Defuse Authority!