[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: serial numbers // push/pull CRL's
At 04:57 PM 4/2/97 -0800, Peter Williams wrote:
>One query.
>
>Can a source (e.g. HotSoft) issue a second certificate which differs
>as to the group which it lists, without first issuing a CRL.
>
>if G={a,b,c} in Hotsoft's first certificate, and G={a,b} in the second,
>does c gain access following receipt by the group of G authorized
>by the second certificate? If the second replace the first, presumably
>the group identifier is the linkage, and issuing date is the
>signal to replace.
The example you give suggests a group definition in a single certificate
and we don't have such a construct in the new SPKI/SDSI.
In general, if you want to redefine a certificate -- revoke some previously
granted rights -- then you need to let the first certificate expire.
The soap box I keep getting on is that you can not say "oops". You can not
issue a general CRL which tells the world that a given certificate is bad
because you have no guarantee that someone who has that cert will ever be
in touch again to discover there's a CRL, unless you force him to.
That is, you can make the original certificate short-lived or you can attach an
on-line test to the original certificate -- and let the on-line service
either reconfirm the certificate's validity or hand back a CRL (depending on
what your performance analysis suggests is the preferred way to go).
+------------------------------------------------------------------+
|Carl M. Ellison cme@cybercash.com http://www.clark.net/pub/cme |
|CyberCash, Inc. http://www.cybercash.com/ |
|207 Grindall Street PGP 2.6.2: 61E2DE7FCB9D7984E9C8048BA63221A2 |
|Baltimore MD 21230-4103 T:(410) 727-4288 F:(410)727-4293 |
+------------------------------------------------------------------+
Follow-Ups:
References: