RE: CRLs versus short Validity periods

["Robichaux, Paul E" <perobich@ingr.com>]

IMHO there are still applications where CRLs make sense. Anytime you want to 
be able to negate the certificate's assertions outside of a validity window, 
I think you need a CRL to do it properly. Key compromise (say I lose my 
private key for my credit union account) is probably the most glaring 
example, but I think there are others:

        - I transfer out of a department where I have purchasing authority into one 
where I don't
        - I change stockbrokers and want to revoke the old broker's buy/sell 
authority on my holdings
        - the Episcopal Church wants to revoke one of its bishop's credentials for 
heresy

and so on.
 
In general I agree with Carl's analysis, but I'm afraid that if you need a 
CRL to handle these cases you risk splitting certificates into two types: 
types which have a validity window ("Paul Robichaux is a member of the NRA 
effective 1/1/97 to 12/31/97") and those which don't. For those which don't, 
you still need online clearing.

I wonder what the relative balance is for certificates which require/support 
a validity window versus those which are in effect until revoked.

-Paul

---

• Prev by Date: Re: encodings, character sets, general requirements
• Next by Date: Re: Aliases (Re-sent)
• Prev by thread: Re: CRLs versus short Validity periods
• Next by thread: RE: CRLs versus short Validity periods
• Index(es):
  • Main
  • Thread