[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: serial numbers // push/pull CRL's
At 04:06 PM 4/2/97 EST, Ron Rivest wrote:
> Anyway, I think that push-CRL's are necessary, once you have setups such
>as envisioned above with servers managing databases for clients.
As I mentioned to you off-list, I think of this as a problem of distributed
database update. That is, the issuer and his ISP-run server are maintaining
parallel copies of a single database. The issuer wants to make changes
in his database and propagate those to the server. There are well known
techniques for such -- e.g., Lotus Notes, usenet news, ....
I agree that this might be an important feature of operation in the real
world but I don't think of it as part of the certificate structure or
even closely related to it.
There is a question of what's in that shared database.
1) there could be short-lived certificates which the issuer keeps updating
2) there could be long-lived certificates which refer to on-line tests
implemented by the ISP, based on some other database shared between
the issuer and the ISP.
(2) might have a performance advantage, if this other database can be
communicated securely from issuer to server. However, what happens when the
issuer hasn't given an update in a while? Should the server treat that as
good news or bad news?
In any case, I don't see this as a certificate issue.
+------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc. http://www.cybercash.com/ |
|207 Grindall Street PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 |
+------------------------------------------------------------------+
References: