[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: CRLs versus short Validity periods
IMHO there are still applications where CRLs make sense. Anytime you want to
be able to negate the certificate's assertions outside of a validity window,
I think you need a CRL to do it properly. Key compromise (say I lose my
private key for my credit union account) is probably the most glaring
example, but I think there are others:
- I transfer out of a department where I have purchasing authority into one
where I don't
- I change stockbrokers and want to revoke the old broker's buy/sell
authority on my holdings
- the Episcopal Church wants to revoke one of its bishop's credentials for
and so on.
In general I agree with Carl's analysis, but I'm afraid that if you need a
CRL to handle these cases you risk splitting certificates into two types:
types which have a validity window ("Paul Robichaux is a member of the NRA
effective 1/1/97 to 12/31/97") and those which don't. For those which don't,
you still need online clearing.
I wonder what the relative balance is for certificates which require/support
a validity window versus those which are in effect until revoked.