[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: serial numbers // push/pull CRL's
> Carl made several points about CRL's. Here are some comments:
> (1) Using the hash of a certificate as the name for a certificate works,
> but is very inefficient. With MD5, this takes at least 128 bits per
> certificate. If the issuing key gives out sequential serial numbers,
> then referring to a certificate takes space at most 32 bits, assuming
> he hasn't issued more than 2**32 certificates.
An MD5 or SHA hash value being uniformly distributed fits nicely with a
variety of fast indexing mechanisms - hash index plus btree etc.
I tend to prefer using a single index rather than a compound one.
A hash value has the nice property that the name becomes self
validating. For example a reference to cert MD5:ksgfqgweoajvkjhsvdasdg==
can only be to a single certificate. The semantics of the cert
are irrelevant to the checking mechanism which can be pushed quite
low in the network layer as a result.
> (2) Perhaps another name is needed than "revocation". SPKI/SDSI does not,
> as Carl noted, really try to "revoke" certificates. Anyone holding
> a previously issued certificate may legitimately go ahead and try to
> use it. But the server he is trying to access may know that the cert
> has been revoked, and fail to honor the access request.
I see the certificate as an authenticated assertion.
"Foobar asserts that xyz is Freds key"
Or if you want to run a business:
"CertCo asserts that it has determined that xyz in accordance with
its level1 certification proceedures is the entity known as Freds key"
Tales of revocation are really a coda to this:
"... and if you really want to be sure check that it has not been
revoked according to proceedure PQR".
The revocation itself is also an assertion:
"... I assert that xyz is a broken key" -- signed xyz
The only thing that is special about revocation is that a revocation
assertion is self validating and does not need any other trust
assupmtions to be made to be accepted as valid.