[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Rethink CRLs

>         there's a difference between "this private key is no longer good as
> of <date>", "this private key was in the hands of the enemy between <date1>
> and <date2> but it's back now", and "this private key went bad sometime, but
> we don't know when, so don't trust it even from the beginning".
>         Especially when it's a CA's private key, the result of those three
> different interpretations is quite different.

There is some curiosity value to a human, but the reaction for all three
should probably be the same.   If you suspect a key has been compromised,
you cease to use it.   Even if you "get it back", the fact that it was "in
the hands of the enemy" means it should be considered compromised.

In which case the behaviour you wish to encourage by issuing CRLs in the 
above three examples are:

1) don't trust the certificate after <date>

2) don't trust the certificate after <date1>

3) don't trust the certificate after <creation-date>

I believe this approach is both simpler to deal with, and also encourages
a more sensible security policy.


Michael Warner
Telstra Research Labs