[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cme@cybercash.com: Re: CRLs versus short Validity periods]

Why have the y' value?  If you want to have conclusive proof that the
certificate has been revoked.  Of course the absence of an appropriate
xi makes the certificate ineffective, but the presence of a y value makes
it clear that it has been revoked (as opposed to the situation where an xi
is not available for some other reason).  For some applications, this
distinction may be inessential.  However, for others it may be important.

For example, if I inform my CA that my private key has been compromised, then
I can obtain the y' and distribute it quickly to demonstrate revocation, even
before the lack of tomorrow's xi makes the certificate ineffective.  

More importantly, a query to the CA regarding a certificate must
return either the corresponding xi or y'.  Note that this response
does NOT need to be digitally signed.  Without the y' option, the
negative reply (indicating revocation) would need to be signed by the

        Ron Rivest
Return-Path: <owner-spki@c2.org>
Mime-Version: 1.0
Date: Fri, 1 Mar 1996 02:21:15 -0500
To: spki@c2.org
From: cme@cybercash.com (Carl Ellison)
Subject: Re: CRLs versus short Validity periods
Cc: coderpunks@toad.com
Sender: owner-spki@c2.org
Precedence: bulk

At 20:15 2/29/96, Ron Rivest wrote:
>To follow up on Carl Ellison's note, let me briefly mention Silvio
>Micali's recent proposal for optimizing CRL's somewhat:
>Suppose my certificate is valid for one month.  The CA includes two
>values, x0 and y.  The CA knows values x32 and y' such that
>                h(y') = y
>                h(x32) = x31
>                h(x31) = x30
>                ...
>                h(x1) = x0
>for some one-way hash function h (e.g. MD5).
>The cert policy says:
>        (1) if you can produce a y' such that h(y') = y, then this
>            certificate should be considered as revoked.
>        (2) this cert should only be considered as valid on day i of the
>            month if it is accomanied by an xi such that h^i(xi) = x0.


thanks for the summary.  I will have to get a copy of Silvio's paper.
However, from your summary, this looks like redundant operations.
That is, if the cert issuer wants to revoke a cert, all it has to do
is withhold release of x_i.  This doesn't involve release of y'.

Is there some compelling reason to have mechanism (1)?

>One advantage of this scheme is that additional digital signatures are
>not required by the CA for recertification or revocation.

Exactly -- makes network traffic the big issue in performance comparisons.

 - Carl

|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430                   http://www.cybercash.com/    |
|2100 Reston Parkway           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091      Tel: (703) 620-4200                                 |