[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CRLs versus short Validity periods

At 20:15 2/29/96, Ron Rivest wrote:
>To follow up on Carl Ellison's note, let me briefly mention Silvio
>Micali's recent proposal for optimizing CRL's somewhat:
>Suppose my certificate is valid for one month.  The CA includes two
>values, x0 and y.  The CA knows values x32 and y' such that
>                h(y') = y
>                h(x32) = x31
>                h(x31) = x30
>                ...
>                h(x1) = x0
>for some one-way hash function h (e.g. MD5).
>The cert policy says:
>        (1) if you can produce a y' such that h(y') = y, then this
>            certificate should be considered as revoked.
>        (2) this cert should only be considered as valid on day i of the
>            month if it is accomanied by an xi such that h^i(xi) = x0.


thanks for the summary.  I will have to get a copy of Silvio's paper.
However, from your summary, this looks like redundant operations.
That is, if the cert issuer wants to revoke a cert, all it has to do
is withhold release of x_i.  This doesn't involve release of y'.

Is there some compelling reason to have mechanism (1)?

>One advantage of this scheme is that additional digital signatures are
>not required by the CA for recertification or revocation.

Exactly -- makes network traffic the big issue in performance comparisons.

 - Carl

|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430                   http://www.cybercash.com/    |
|2100 Reston Parkway           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091      Tel: (703) 620-4200                                 |