[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: can CRL's and short-life certs coexist?
At 22:51 3/7/96, Tony Bartoletti wrote:
>The idea of, shall we say, certificate depreciation, introduced below by
>Frank O'Dwyer is indeed fascinating. If generalized, it could serve to
>significantly reduce overhead in network traffic, especially in the short-
>term cert model.
>
>I envision some way of codifying, either in the certificate or in the
>certifying agent's policy, a depreciation formula that can be resolved
>by the relying party at key-usage time to a value in the range [0,1].
>This value would represent a multiplier affecting the CA's acceptance
>of liability regarding the key's misuse (effectively shifting liability
>back in the direction of the relying party.)
>>At 08:43 3/5/96, Frank O'Dwyer wrote:
>>
>>>The same app. might well decide that a 2 day cert which
>>>expired an hour ago was fresh enough for a low-valued transaction,
>>>given that it didn't have the connectivity to always get a
>>>completely fresh cert.
One way to do this is to issue multiple certificates with different
validity periods for different authorization amounts:
a $5.00/purchase certificate might be valid for 10 days while a
$10,000.00/purchase certificate might be valid for 2 minutes.
+--------------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc., Suite 430 http://www.cybercash.com/ |
|2100 Reston Parkway PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Reston, VA 22091 Tel: (703) 620-4200 |
+--------------------------------------------------------------------------+