[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CRLs versus short Validity periods

To: "Robichaux, Paul E" <perobich@ingr.com>
Subject: RE: CRLs versus short Validity periods
From: cme@cybercash.com (Carl Ellison)
Date: Thu, 29 Feb 1996 17:53:29 -0500
Cc: "spki@c2.org" <spki@c2.org>
Sender: owner-spki@c2.org

At 17:33 2/29/96, Robichaux, Paul E wrote:
>IMHO there are still applications where CRLs make sense. Anytime you want to
>be able to negate the certificate's assertions outside of a validity window,
>I think you need a CRL to do it properly. Key compromise (say I lose my
>private key for my credit union account) is probably the most glaring
>example, but I think there are others:
>
>        - I transfer out of a department where I have purchasing authority
>into one
>where I don't
>        - I change stockbrokers and want to revoke the old broker's buy/sell
>authority on my holdings
>        - the Episcopal Church wants to revoke one of its bishop's
>credentials for
>heresy

I understand this kind of argument.  What my analysis was showing was that
CRLs have a validity period just like certificates -- and you can make
a system either way [with CRLs or without] -- and in one way they are
logically equivalent.  ...only the CRL path appears to be more expensive.

What I think you're trying to say is that the Episcopal church wants to
revoke a bishop's credentials after the fact.  When the credentials were
issued, it was "until death do us part" -- and everybody was optimistic
that they'd never be revoked, so no short validity period was specified.
It's only after the fact that someone wants to scurry around, find all those
certs and cut them up.

If no CRL path is specified in the cert, then this cert is not revokable.
If a CRL path *is* specified, then the "death do us part" fantasy is broken
from day 1 and the cert might as well have had a short validity period.

I don't see any way around the logical equivalence.

 - Carl

+--------------------------------------------------------------------------+
|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430                   http://www.cybercash.com/    |
|2100 Reston Parkway           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091      Tel: (703) 620-4200                                 |
+--------------------------------------------------------------------------+

Prev by Date: Re: Aliases (Re-sent)
Next by Date: Re: encodings, character sets, general requirements
Prev by thread: RE: CRLs versus short Validity periods
Next by thread: CRLs versus short Validity periods
Index(es):
- Main
- Thread