[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Light-weight certificate revocation lists ?

At 10:42 AM 4/2/97 -0500, David P. Kemp wrote:
>From my POV, the only "interesting" security-related behaviour is
>deterministic.  The non-deterministic case may be interesting from an
>academic study, intellectual exercise POV, but I wouldn't want to deploy
>an actual system based on it.


>* But if you assume that certificates will be stored in distributed
>  repositories and local caches, then there are efficiency benefits to
>  using long-term certificates and short-term CRLs.

I did a back of the envelope study about 1.5 years ago comparing CRL use to 
short expiration certificates, from a performance point of view.  I came up 
with formulas for network traffic, number of signature checks per second, 
number of signature formations per second, etc.  as functions of number of 
certificates in the system, frequency of revocation, lifetime on the cert, 
lifetime on the CRL, ....  I need to resurrect that computation and post it, 
unless someone beats me to it.

 - Carl

|Carl M. Ellison  cme@cybercash.com   http://www.clark.net/pub/cme |
|CyberCash, Inc.                      http://www.cybercash.com/    |
|207 Grindall Street   PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103  T:(410) 727-4288  F:(410)727-4293        |