[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

can CRL's and short-life certs coexist?

Carl Ellison wrote:
> Yes, I think we agree.  There are applications/CAs for which CRLs are the
> clear performance winner.  There are others for which short-lived certs are
> the clear winner.

Well, when faced with a situation like this (and _only_ when there's a
clear win-win situation) it makes sense to let them coexist.

Would it be possible to add a "Revocation-Alert" field to Carl's
proposed certificate format? The semantics of the field would be, "if
the field exists, resolve the URL on the right hand side to see if
this certificate is still valid". So, checking a certificate is
complicted a bit, but not much:

        if it has a "revocation-alert" field
           if cached copy of list referred to by "revocation-alert"
             is out of date
                   fetch revocation list
           check cert against list
           check cert's time limits against current time

Actually, it might be nice to define an even closer integration. Would
it be useful to say, "this cert not valid until <time>, and not valid
once revoced on the authority of this URL". However, I'm beginning to
feel a little creaping featuritis...

Does anyone else see a need for CRL's and time-limited certificates to
coexist peacfully?

    Jeff Allen <jeff@bunyip.com>   |   For information about Bunyip
Bunyip Information Systems, Inc.   |   send e-mail to <info@bunyip.com>