[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Rethink CRLs
At 12:24 AM 8/15/96 -0400, Carl Ellison wrote:
>At 10:13 AM 8/15/96 +1000, Michael Warner wrote:
>
>>There is some curiosity value to a human, but the reaction for all three
>>should probably be the same. If you suspect a key has been compromised,
>>you cease to use it. Even if you "get it back", the fact that it was "in
>>the hands of the enemy" means it should be considered compromised.
>>
>>In which case the behaviour you wish to encourage by issuing CRLs in the
>>above three examples are:
>>
>>1) don't trust the certificate after <date>
>>
>>2) don't trust the certificate after <date1>
>>
>>3) don't trust the certificate after <creation-date>
>>
>>I believe this approach is both simpler to deal with, and also encourages
>>a more sensible security policy.
>
>I can buy your simplification -=- although I can imagine a real scenario
>under which (2) might be real. That is, the private key is locked in a
>tamper-proof enclosure which is mislaid for a few days -- then turns up.
>[This happened with a US cipher device (SIGABA) during WW-II.] Once you get
>it back, you can tell if there has been a tamper attempt. The enemy might
>have had it or might not -- and *might* have used it during the period it
>was missing, but could not have copied the key.
I think I would like to view tamper-proof as really being tamper-resistant
and let the associated paranoia force me to insist on rekeying the box.
Then we can say, for SPKI, that the reaction should be same for these 3
examples.
-------------------------------------------------------------------------
Bill Frantz | Cave ab homine unius lebri | Periwinkle -- Consulting
(408)356-8506 | [Beware the man of one | 16345 Englewood Ave.
frantz@netcom.com | book] - Anonymous Latin | Los Gatos, CA 95032, USA