[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Certificate Cancellation Notices (CCN)
Marc Branchaud wrote:
| On Sat, 5 Apr 1997, Carl Ellison wrote:
| > At 03:11 PM 4/5/97 -0500, Steven Bellovin wrote:
| > >The point of CRLs is to avoid the need for online services. It's not so
| > >much the replication of the database that concerns me; rather, it's the
| > >requirement that all possible acceptors of certificates be online to do
| > >any processing whatsoever.
| > We already have an even simpler mechanism for processing certificates
| > offline -- certificates with no online tests and no CRLs -- just their
| > own validity intervals.
| > Offline CRLs don't magically make offline certs suddenly any more precise
| > than certs alone whose dates are the intersection of the cert plus CRL.
| Alternatively, one could create a local CRCert with the result of every
| validation. Then when you're using your laptop on an airplane and want to
| verify a cert/signature, you could check your local CRCert from your last
| verification. If that CRCert is too old for your tastes, then you
| shouldn't consider the signature valid. What makes a CRCert "too old"
| depends on the context -- e.g. is the message just someone wishing you a
| happy birthday, or is it something more important.
I expect that putting tests like this in front of the user
will lead to the default action happening every time. So we need to
consider carefully what the default action should be.
Since certificates are not revokable, we should avoid thinking
that we need to look for CCNs or wandering anti-certificates. If all
the useful information you have says the certificate is good, then you
should treat the cert as good. If the CA is not available, then the
cert should stand. The fact that the cert is older than it was when
you last used it is only relevant if the cert has now expired.
If you create a local CRcert (or a list--signing the
assertions might get a little expensive), then you don't need to check
if there is a new revocation, it just gives you more reason to trust
that the cert is good. So I suggest that we not prompt the user
simply because they're disconnected from the net.
"It is seldom that liberty of any kind is lost all at once."