[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Revocation, etc...

To: cme@cybercash.com, spki@c2.net
Subject: Revocation, etc...
From: Ron Rivest <rivest@theory.lcs.mit.edu>
Date: Mon, 13 Apr 1998 14:01:15 -0400


I have written a paper of potential interest to the SPKI/SDSI group,
which is posted on my web site.  See
	http://theory.lcs.mit.edu/~rivest/publications.html
where the first paper listed is entitled, 
	"Can we eliminate revocation lists?"

The approach proposed there extends the SPKI/SDSI model in two directions:
	-- explicitly describing how key compromise can be handled
	-- giving certificates THREE dates:
		-- an issue date (i.e. the "not-before" date)
		-- an "good-until" date (the certificate is guaranteed by
			the issuer to be good from the issuer until
			the "good-until" date; it can't be revoked 
			until after then.  No on-line checks would be
			needed until after this date.)
		-- an expiration date (i.e. the "not-after" date)

		This divides the life of a certificate into periods:
			not-yet-good
			definitely good (no need to check)
			probably good (and checkable)
			expired

		Standard SDSI (without on-line checks) has
			good-until = expiration (no checking)

		Standard X.509 has 
			good-until = issue (always checking)
			
	The new proposal gets the benefits of both models, more clearly...

Comments??

	Ron Rivest

Follow-Ups:

Re: Revocation, etc...

From: Ben Laurie <ben@algroup.co.uk>

Prev by Date: RE: Is there a business for CAs?
Next by Date: RSA on smartcards
Prev by thread: Re: Is there a business for CAs?
Next by thread: Re: Revocation, etc...
Index(es):
- Main
- Thread