[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: can CRL's and short-life certs coexist?

> At 16:36 3/4/96, Tony Bartoletti wrote:
> >I had thought about supporting "Validity: Interval=..." and "Validity: CRL="
> >since validity is still the issue, but I admit to being ignorant about the
> >precise points where levels of standardization are to be imposed.  It would
> >certainly promote adoption to provide a structure that could handle both
> >CRLs and intervals, since there are reasoned arguments in both camps.  I
> >tend to
> >lean toward Carl's "Net as Data Driven Machine" model, imagining future CPU
> >and bandwidth as non-essential issues.  Why not imagine having your
> >driver's license certified every 24 hours?  ___TONY___
> I'm still mulling the performance difference -- and am probably about to
> write a short performance analysis, going one large step deeper than my
> first post on the subject.  My guess is that we want both.  The trouble is,
> we might want both in the same certificate.  That is, the decision to use
> CRLs depends on the validating application more than anything else.  If it
> can't keep state or if it doesn't get enough traffic in that CA's certs to
> have multiple hits on a CRL, then it wants short-lived certs.  The issuer
> doesn't know for sure what the application will prefer.
> Aha!
> [See, it pays to send mail before thinking -- one has to think! :) ]
> A certificate needs a Validity-period -- the length of time a CRL is
> considered valid [or the duration of a short-lived cert].  A cert with a
> CRL would have both a validity date range and a CRL URL.  One could have
> the added notion that even if you have a CRL pointer, you don't need to
> look at the CRL if:
> a) you last looked at the CRL less than Validity-period ago
> or
> b) the cert was signed less than Validity-period ago
> In this case, one cert could serve both applications.  If you maintain CRL
> state, you can keep the CRL up to date [fetching updates every
> Validity-period].  If you don't maintain a CRL, you can ask the Issuer for
> an updated cert every Validity-period and get one signed recently enough
> not to need a CRL test.
> How does this feel?

Grrrr - another list that needs group reply - I wrote something to this effect
yesterday but forgot the all-important "g" key. It seems to me to be important
to support "lightweight" apps - ones which may not have access to the CRL,
presumably usually through lack of connectivity, as well as the other reasons
given for the two methods.



>  - Carl
> +--------------------------------------------------------------------------+
> |Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
> |CyberCash, Inc., Suite 430                   http://www.cybercash.com/    |
> |2100 Reston Parkway           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
> |Reston, VA 22091      Tel: (703) 620-4200                                 |
> +--------------------------------------------------------------------------+

Ben Laurie                  Phone: +44 (181) 994 6435
Freelance Consultant and    Fax:   +44 (181) 994 6472
Technical Director          Email: ben@algroup.co.uk
A.L. Digital Ltd,           URL: http://www.algroup.co.uk
London, England.