[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CRLs as wandering anti-matter
At 08:54 AM 4/2/97 -0500, David P. Kemp wrote:
>> From: Carl Ellison <cme@cybercash.com>
>>
>> To me, the fundamental problem with the CRL idea is that it violates the
>> cardinal rule of data driven programming: that once you have emitted a
>> datum, you may not attempt to take it back. If you provide for such a
>> mechanism, then you are allowing non-deterministic behavior.
>
>Carl,
>
>Since seeing this analogy in your original paper, I've never understood
>it. A dataflow architecture machine takes, say, two numbers A and B,
>and when both of them have arrived (asynchronously), the processor
>produces a result C which is then passed along to whatever depends on
>it.
>
>This is precisely how CRLs work! The access control decision function
>requires two pieces of information from the PKI: a certificate and a
>CRL. When both of those inputs are available, along with any other
>required information (the access being requested by the principal, the
>current time, the principal's bank account balance, etc), the decision
>function produces a result: Yes or No.
>
>CRLs don't wander around space like anti-matter, randomly colliding with
>certificates! Just like certificates, they are fetched as needed if
>they aren't already available from a local cache on the decision-making
>host.
David,
the CRLs you describe must have a validity period. If a CRL has no
validity period, then you don't know if the one you have has expired.
The wandering anti-matter CRLs I was referring to are ones with no valdity
periods of their own. They were not mandatory inputs to a verification step
but rather an optional thing to be sent out if the mood hits and you want
to say "oops".
If you have dated CRLs, then you have effectively a two-part certificate,
each with a date range and therefore the combination has a date range.
The combination is equivalent to a short-expiry certificate, probably in
execution time as well as net traffic.
- Carl
+------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc. http://www.cybercash.com/ |
|207 Grindall Street PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 |
+------------------------------------------------------------------+
Follow-Ups:
References: