[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Certificate Cancellation Notices (CCN)
Brian Thomas (below) asks how the CCN's work.
I guess I would expect a server to keep around recent CCN's it has
received. If a client submits a certificate that is apparently valid,
but which is listed on a CCN, then the server can disregard that
You are right that CCN's might not have much utility if they are not
stored by the server/verifier, as old copies might resurface.
The CCN allows for some "softening" of SPKI's "once-issued, no
revocation" policy by enabling an issuer to attempt to control the
extent to which an adversary can make use of a certificate that the
issuer would like to revoke, without having enforceable revocation.
However, if the issuer can distribute the CCN to the right places (which
might only be a few verifiers), he can get close to what CRL's
attempt to achieve, without all of their complexity and costs of CRL's.
CCN's are an informal version of CRL's, and get most of the benefits with
little of the cost, which is what you want in a system that calls itself
Date: Thu, 3 Apr 1997 10:29:37 -0600 (CST)
From: "Brian M. Thomas" <email@example.com>
X-Full-Name: Brian M. Thomas
To: firstname.lastname@example.org, email@example.com
Subject: Re: Certificate Cancellation Notice
Cc: firstname.lastname@example.org, email@example.com
I may be missing the point, but if the purpose of a CCN is to tell a
certificate server not to issue a cert, destroy its copy, etc., its
usefulness is limited. Once the certificate is issued and anyone else
has a copy, it really doesn't matter who doesn't have one, unless the
verifier's protocol doesn't accept certs from the supplicant but only
from a real-time server. This seems to me to require more stringent
protocols even than CRLs.
I'm sure I am missing the point. Somebody hit me with a clue.
Brian Thomas, CISSP - Distributed Systems Architect firstname.lastname@example.org
Southwestern Bell email@example.com
One Bell Center, Room 34G3 Tel: 314 235 3141
St. Louis, MO 63101 Fax: 314 235 0162