[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: can CRL's and short-life certs coexist?
>Carl Ellison wrote:
>> Yes, I think we agree. There are applications/CAs for which CRLs are the
>> clear performance winner. There are others for which short-lived certs are
>> the clear winner.
>Well, when faced with a situation like this (and _only_ when there's a
>clear win-win situation) it makes sense to let them coexist.
>Would it be possible to add a "Revocation-Alert" field to Carl's
>proposed certificate format? The semantics of the field would be, "if
>the field exists, resolve the URL on the right hand side to see if
>this certificate is still valid". So, checking a certificate is
>complicted a bit, but not much:
> if it has a "revocation-alert" field
> if cached copy of list referred to by "revocation-alert"
> is out of date
> fetch revocation list
> check cert against list
> check cert's time limits against current time
>Actually, it might be nice to define an even closer integration. Would
>it be useful to say, "this cert not valid until <time>, and not valid
>once revoced on the authority of this URL". However, I'm beginning to
>feel a little creaping featuritis...
>Does anyone else see a need for CRL's and time-limited certificates to
> Jeff Allen <firstname.lastname@example.org> | For information about Bunyip
>Bunyip Information Systems, Inc. | send e-mail to <email@example.com>
I had thought about supporting "Validity: Interval=..." and "Validity: CRL="
since validity is still the issue, but I admit to being ignorant about the
precise points where levels of standardization are to be imposed. It would
certainly promote adoption to provide a structure that could handle both CRLs and intervals, since there are reasoned arguments in both camps. I tend to
lean toward Carl's "Net as Data Driven Machine" model, imagining future CPU
and bandwidth as non-essential issues. Why not imagine having your driver's license certified every 24 hours? ___TONY___
Tony Bartoletti LL
SPI Project Leader LL LL
Computer Security Technology Center LL LL LL
Lawrence Livermore National Lab LL LL LL
PO Box 808, L - 303 LL LL LLLLLLLL
Livermore, CA 94551-9900 LL LLLLLLLL
email: firstname.lastname@example.org phone: 510-422-3881 LLLLLLLL