[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Certificate Cancellation Notices (CCN)



-----BEGIN PGP SIGNED MESSAGE-----

On Sat, 5 Apr 1997, Carl Ellison wrote:
> 
> At 03:11 PM 4/5/97 -0500, Steven Bellovin wrote:
> >The point of CRLs is to avoid the need for online services.  It's not so
> >much the replication of the database that concerns me; rather, it's the
> >requirement that all possible acceptors of certificates be online to do
> >any processing whatsoever.
> 
> We already have an even simpler mechanism for processing certificates
> offline -- certificates with no online tests and no CRLs -- just their
> own validity intervals.
> 
> Offline CRLs don't magically make offline certs suddenly any more precise
> than certs alone whose dates are the intersection of the cert plus CRL.
> 

Alternatively, one could create a local CRCert with the result of every
validation.  Then when you're using your laptop on an airplane and want to
verify a cert/signature, you could check your local CRCert from your last
verification.  If that CRCert is too old for your tastes, then you
shouldn't consider the signature valid.  What makes a CRCert "too old"
depends on the context -- e.g. is the message just someone wishing you a
happy birthday, or is it something more important.

A verification engine could present the user with a message like "Unable
to validate this cert online, but the last time you validated it was on
YYYY/MM/DD_HH:MM:SS and the result was X."  The user could then decide if
he should accept/reject the cert anyway or wait until he can get online
again.

		Marc

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQB1AwUBM0bF5lrdFXNdDxPlAQE1aAL+KbrAFikR8pPsE6UkOdkNPandvbL9SKQs
6xZTt7rG0RG9qMr6rorti0UezfMhMz0SZb4t/nlnrcL5ZFAZNZQiMIgo/3RM+MOl
GNJuey+RgP/oud9NKWM3HDSbOGiVZhxl
=pAc/
-----END PGP SIGNATURE-----


Follow-Ups: References: