[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CRLs versus short Validity periods

IMHO there are still applications where CRLs make sense. Anytime you want to 
be able to negate the certificate's assertions outside of a validity window, 
I think you need a CRL to do it properly. Key compromise (say I lose my 
private key for my credit union account) is probably the most glaring 
example, but I think there are others:

        - I transfer out of a department where I have purchasing authority into one 
where I don't
        - I change stockbrokers and want to revoke the old broker's buy/sell 
authority on my holdings
        - the Episcopal Church wants to revoke one of its bishop's credentials for 

and so on.
In general I agree with Carl's analysis, but I'm afraid that if you need a 
CRL to handle these cases you risk splitting certificates into two types: 
types which have a validity window ("Paul Robichaux is a member of the NRA 
effective 1/1/97 to 12/31/97") and those which don't. For those which don't, 
you still need online clearing.

I wonder what the relative balance is for certificates which require/support 
a validity window versus those which are in effect until revoked.