Re: can CRL's and short-life certs coexist?

[cme@cybercash.com (Carl Ellison)]

At 22:51 3/7/96, Tony Bartoletti wrote:
>The idea of, shall we say, certificate depreciation, introduced below by
>Frank O'Dwyer is indeed fascinating.  If generalized, it could serve to
>significantly reduce overhead in network traffic, especially in the short-
>term cert model.
>
>I envision some way of codifying, either in the certificate or in the
>certifying agent's policy, a depreciation formula that can be resolved
>by the relying party at key-usage time to a value in the range [0,1].
>This value would represent a multiplier affecting the CA's acceptance
>of liability regarding the key's misuse (effectively shifting liability
>back in the direction of the relying party.)

>>At 08:43 3/5/96, Frank O'Dwyer wrote:
>>
>>>The same app. might well decide that a 2 day cert which
>>>expired an hour ago was fresh enough for a low-valued transaction,
>>>given that it didn't have the connectivity to always get a
>>>completely fresh cert.

One way to do this is to issue multiple certificates with different
validity periods for different authorization amounts:

a $5.00/purchase certificate might be valid for 10 days while a
$10,000.00/purchase certificate might be valid for 2 minutes.


+--------------------------------------------------------------------------+
|Carl M. Ellison          cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430                   http://www.cybercash.com/    |
|2100 Reston Parkway           PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091      Tel: (703) 620-4200                                 |
+--------------------------------------------------------------------------+

---

• Prev by Date: Re: Man in the middle attacks
• Next by Date: Re: specification language?
• Prev by thread: Re: Certificate depreciation & 'fuzzy' verification models (SPKI)
• Next by thread: Re: bootstrap of key-centric binding of person to key
• Index(es):
  • Main
  • Thread