[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: can CRL's and short-life certs coexist?

>Carl Ellison wrote:
>> Yes, I think we agree.  There are applications/CAs for which CRLs are the
>> clear performance winner.  There are others for which short-lived certs are
>> the clear winner.
>Well, when faced with a situation like this (and _only_ when there's a
>clear win-win situation) it makes sense to let them coexist.
>Would it be possible to add a "Revocation-Alert" field to Carl's
>proposed certificate format? The semantics of the field would be, "if
>the field exists, resolve the URL on the right hand side to see if
>this certificate is still valid". So, checking a certificate is
>complicted a bit, but not much:
>        if it has a "revocation-alert" field
>           if cached copy of list referred to by "revocation-alert"
>             is out of date
>                   fetch revocation list
>           check cert against list
>        else
>           check cert's time limits against current time
>Actually, it might be nice to define an even closer integration. Would
>it be useful to say, "this cert not valid until <time>, and not valid
>once revoced on the authority of this URL". However, I'm beginning to
>feel a little creaping featuritis...
>Does anyone else see a need for CRL's and time-limited certificates to
>coexist peacfully?
>    Jeff Allen <jeff@bunyip.com>   |   For information about Bunyip
>Bunyip Information Systems, Inc.   |   send e-mail to <info@bunyip.com>

I had thought about supporting "Validity: Interval=..." and "Validity: CRL="
since validity is still the issue, but I admit to being ignorant about the
precise points where levels of standardization are to be imposed.  It would
certainly promote adoption to provide a structure that could handle both CRLs and intervals, since there are reasoned arguments in both camps.  I tend to
lean toward Carl's "Net as Data Driven Machine" model, imagining future CPU
and bandwidth as non-essential issues.  Why not imagine having your driver's license certified every 24 hours?  ___TONY___

Tony Bartoletti                                             LL
SPI Project Leader                                       LL LL
Computer Security Technology Center                   LL LL LL
Lawrence Livermore National Lab                       LL LL LL
PO Box 808, L - 303                                   LL LL LLLLLLLL
Livermore, CA 94551-9900                              LL LLLLLLLL
email: azb@llnl.gov   phone: 510-422-3881             LLLLLLLL