[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Revocation, etc...

I have written a paper of potential interest to the SPKI/SDSI group,
which is posted on my web site.  See
where the first paper listed is entitled, 
	"Can we eliminate revocation lists?"

The approach proposed there extends the SPKI/SDSI model in two directions:
	-- explicitly describing how key compromise can be handled
	-- giving certificates THREE dates:
		-- an issue date (i.e. the "not-before" date)
		-- an "good-until" date (the certificate is guaranteed by
			the issuer to be good from the issuer until
			the "good-until" date; it can't be revoked 
			until after then.  No on-line checks would be
			needed until after this date.)
		-- an expiration date (i.e. the "not-after" date)

		This divides the life of a certificate into periods:
			definitely good (no need to check)
			probably good (and checkable)

		Standard SDSI (without on-line checks) has
			good-until = expiration (no checking)

		Standard X.509 has 
			good-until = issue (always checking)
	The new proposal gets the benefits of both models, more clearly...


	Ron Rivest