[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Light-weight certificate revocation lists ?

> From: "Donald E. Eastlake 3rd" <dee@cybercash.com>
> The only interesting CRLs are unanticipated ones.

Are you invoking the Chinese curse "May you live in interesting times"? :-)

>From my POV, the only "interesting" security-related behaviour is
deterministic.  The non-deterministic case may be interesting from an
academic study, intellectual exercise POV, but I wouldn't want to deploy
an actual system based on it.

> If CRLs are issued at
> predictable times and cover specific periods of time, into the future or the
> past, they are the same as using certificates with more limited validity
> periods and issuing or failing to issue more certificates.

Yes. Periodic CRLs are *entirely* an efficiency measure, and as such
they are unimportant for small-scale, localized-access, systems.

* If you assume that certificates will always be passed from the
  subject to the verifier inline with the access request, you might as
  well use short-duration certificates and dispense with the CRLs.

* If you assume, as Perry does, that verification will be always done
  online, then you might as well dispense with the certificates too!  There
  is no need for public key cryptography when the verifier and the issuer
  are the same entity - the issuer/verifier can just establish a symmetric
  key with the subject and use a MAC instead of a signature.

* But if you assume that certificates will be stored in distributed
  repositories and local caches, then there are efficiency benefits to
  using long-term certificates and short-term CRLs.

Note that the use of CRLs is always a local, per-certificate decision
- the issuer can issue a certificate that says "unconditionally valid
for the duration", or "valid only in conjunction with a valid CRL".

If SPKI defines a CRL mechanism, it can be used where appropriate and
ignored elsewhere.  If it doesn't define the mechanism, it can't be
used anywhere.