[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: can CRL's and short-life certs coexist?
>
> At 16:36 3/4/96, Tony Bartoletti wrote:
>
> >I had thought about supporting "Validity: Interval=..." and "Validity: CRL="
> >since validity is still the issue, but I admit to being ignorant about the
> >precise points where levels of standardization are to be imposed. It would
> >certainly promote adoption to provide a structure that could handle both
> >CRLs and intervals, since there are reasoned arguments in both camps. I
> >tend to
> >lean toward Carl's "Net as Data Driven Machine" model, imagining future CPU
> >and bandwidth as non-essential issues. Why not imagine having your
> >driver's license certified every 24 hours? ___TONY___
>
> I'm still mulling the performance difference -- and am probably about to
> write a short performance analysis, going one large step deeper than my
> first post on the subject. My guess is that we want both. The trouble is,
> we might want both in the same certificate. That is, the decision to use
> CRLs depends on the validating application more than anything else. If it
> can't keep state or if it doesn't get enough traffic in that CA's certs to
> have multiple hits on a CRL, then it wants short-lived certs. The issuer
> doesn't know for sure what the application will prefer.
>
> Aha!
>
> [See, it pays to send mail before thinking -- one has to think! :) ]
>
> A certificate needs a Validity-period -- the length of time a CRL is
> considered valid [or the duration of a short-lived cert]. A cert with a
> CRL would have both a validity date range and a CRL URL. One could have
> the added notion that even if you have a CRL pointer, you don't need to
> look at the CRL if:
>
> a) you last looked at the CRL less than Validity-period ago
> or
> b) the cert was signed less than Validity-period ago
>
> In this case, one cert could serve both applications. If you maintain CRL
> state, you can keep the CRL up to date [fetching updates every
> Validity-period]. If you don't maintain a CRL, you can ask the Issuer for
> an updated cert every Validity-period and get one signed recently enough
> not to need a CRL test.
>
> How does this feel?
Grrrr - another list that needs group reply - I wrote something to this effect
yesterday but forgot the all-important "g" key. It seems to me to be important
to support "lightweight" apps - ones which may not have access to the CRL,
presumably usually through lack of connectivity, as well as the other reasons
given for the two methods.
Cheers,
Ben.
>
> - Carl
>
> +--------------------------------------------------------------------------+
> |Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
> |CyberCash, Inc., Suite 430 http://www.cybercash.com/ |
> |2100 Reston Parkway PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
> |Reston, VA 22091 Tel: (703) 620-4200 |
> +--------------------------------------------------------------------------+
>
>
--
Ben Laurie Phone: +44 (181) 994 6435
Freelance Consultant and Fax: +44 (181) 994 6472
Technical Director Email: ben@algroup.co.uk
A.L. Digital Ltd, URL: http://www.algroup.co.uk
London, England.
Follow-Ups: