[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: CRLs versus short Validity periods
Carl said, in response to my "Episcopal bishop" argument:
>If no CRL path is specified in the cert, then this cert is not revokable.
>If a CRL path *is* specified, then the "death do us part" fantasy is broken
>from day 1 and the cert might as well have had a short validity period.
"Death do us part" is probably an extreme case. A better example might be a
power of attorney. I want to issue a power of attorney to someone whom I
want to authorize to act for me. If it's a limited power of attorney, a
short validity period might work OK-- unless the limit's bounds are unknown.
Concrete example: I got a free trip to Tanajib in the Kingdom of Saudi
Arabia thanks to the USMC. Before I left I wanted to issue a limited power
of attorney so that, in my absence, someone had the power to transact
business on my behalf. The limit didn't have a definite time bound, and it
would have been quite inconvenient for me to renew an expiring certificate
every, say, 60 days.
I think there's a place for "K says X until K says otherwise" credentials.
They do require the use of CRLs but thus far I am unconvinced that
short-expiry certificates are an adequate substitute.