[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CRLs as wandering anti-matter

At 08:54 AM 4/2/97 -0500, David P. Kemp wrote:
>> From: Carl Ellison <cme@cybercash.com>
>> 	To me, the fundamental problem with the CRL idea is that it violates the
>> cardinal rule of data driven programming:  that once you have emitted a 
>> datum, you may not attempt to take it back.  If you provide for such a 
>> mechanism, then you are allowing non-deterministic behavior.
>Since seeing this analogy in your original paper, I've never understood
>it.  A dataflow architecture machine takes, say, two numbers A and B,
>and when both of them have arrived (asynchronously), the processor
>produces a result C which is then passed along to whatever depends on
>This is precisely how CRLs work!  The access control decision function
>requires two pieces of information from the PKI: a certificate and a
>CRL.  When both of those inputs are available, along with any other
>required information (the access being requested by the principal, the
>current time, the principal's bank account balance, etc), the decision
>function produces a result: Yes or No.
>CRLs don't wander around space like anti-matter, randomly colliding with
>certificates!  Just like certificates, they are fetched as needed if
>they aren't already available from a local cache on the decision-making


	the CRLs you describe must have a validity period.  If a CRL has no 
validity period, then you don't know if the one you have has expired.

	The wandering anti-matter CRLs I was referring to are ones with no valdity 
periods of their own.  They were not mandatory inputs to a verification step
but rather an optional thing to be sent out if the mood hits and you want
to say "oops".

	If you have dated CRLs, then you have effectively a two-part certificate, 
each with a date range and therefore the combination has a date range.
The combination is equivalent to a short-expiry certificate, probably in
execution time as well as net traffic.

 - Carl

|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street   PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |

Follow-Ups: References: