[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CRLs versus short Validity periods

To follow up on Carl Ellison's note, let me briefly mention Silvio
Micali's recent proposal for optimizing CRL's somewhat:

Suppose my certificate is valid for one month.  The CA includes two
values, x0 and y.  The CA knows values x32 and y' such that

                h(y') = y
                h(x32) = x31
                h(x31) = x30
                h(x1) = x0

for some one-way hash function h (e.g. MD5).

The cert policy says: 
        (1) if you can produce a y' such that h(y') = y, then this
            certificate should be considered as revoked.  
        (2) this cert should only be considered as valid on day i of the
            month if it is accomanied by an xi such that h^i(xi) = x0.

The CA can "recertify" the cert for one more day by handing out xi to
the distributors of the cert (in particular the owner, and possibly other
cert servers).  The CA can revoke the cert by passing out y', similarly.

One advantage of this scheme is that additional digital signatures are
not required by the CA for recertification or revocation.

A paper on this topic should be available on this topic from Silvio Micali
at some point soon...

        Ron Rivest