[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Light-weight certificate revocation lists ?

To: dpkemp@missi.ncsc.mil (David P. Kemp)
Subject: Re: Light-weight certificate revocation lists ?
From: "Perry E. Metzger" <perry@piermont.com>
Date: Wed, 02 Apr 1997 10:26:55 -0500
Cc: spki@c2.net
In-Reply-To: Your message of "Wed, 02 Apr 1997 08:54:56 EST." <199704021354.IAA07928@argon.ncsc.mil>
Reply-To: perry@piermont.com
Sender: owner-spki@c2.net

David P. Kemp writes:
> CRLs don't wander around space like anti-matter, randomly colliding with
> certificates!  Just like certificates, they are fetched as needed if
> they aren't already available from a local cache on the decision-making
> host.

Lets say that the original certificate was delivered along with a mail
message, or otherwise delivered and not fetched? Perhaps the mail
message isn't even coming over an IP channel, but is instead coming
over a protocol like UUCP that makes real time fetches hard.

Lets say that you use a cache to prevent yourself from having to fetch
things all the time?

In either case, you might not look up a CRL "on time". In fact, you
might not even be able to look up a CRL.

I don't mind making provisions for CRLs, but they are an
extraordinarily limited tool unless you impose very tight constraints
on the ways that certificates are used, and even then, an adversary
can probably prevent you from getting a CRL far more easily than they
could otherwise interfere with you.

Perry

Follow-Ups:

Re: Light-weight certificate revocation lists ?

From: Carl Ellison <cme@cybercash.com>

References:

Re: Light-weight certificate revocation lists ?

From: dpkemp@missi.ncsc.mil (David P. Kemp)

Prev by Date: Re: single <auth> per cert (was Re: "auth" --> "tag" ?? )
Next by Date: Re: Light-weight certificate revocation lists ?
Prev by thread: Re: Light-weight certificate revocation lists ?
Next by thread: Re: Light-weight certificate revocation lists ?
Index(es):
- Main
- Thread