[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CRLs versus short Validity periods

Carl said, in response to my "Episcopal bishop" argument:

>If no CRL path is specified in the cert, then this cert is not revokable.
>If a CRL path *is* specified, then the "death do us part" fantasy is broken
>from day 1 and the cert might as well have had a short validity period.

"Death do us part" is probably an extreme case. A better example might be a 
power of attorney. I want to issue a power of attorney to someone whom I 
want to authorize to act for me. If it's a limited power of attorney, a 
short validity period might work OK-- unless the limit's bounds are unknown.

Concrete example: I got a free trip to Tanajib in the Kingdom of Saudi 
Arabia thanks to the USMC. Before I left I wanted to issue a limited power 
of attorney so that, in my absence, someone had the power to transact 
business on my behalf. The limit didn't have a definite time bound, and it 
would have been quite inconvenient for me to renew an expiring certificate 
every, say, 60 days.

I think there's a place for "K says X until K says otherwise" credentials. 
They do require the use of CRLs but thus far I am unconvinced that 
short-expiry certificates are an adequate substitute.