[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Revocation, etc...

Ron Rivest wrote:
> I have written a paper of potential interest to the SPKI/SDSI group,
> which is posted on my web site.  See
>         http://theory.lcs.mit.edu/~rivest/publications.html
> where the first paper listed is entitled,
>         "Can we eliminate revocation lists?"
> The approach proposed there extends the SPKI/SDSI model in two directions:
>         -- explicitly describing how key compromise can be handled
>         -- giving certificates THREE dates:
>                 -- an issue date (i.e. the "not-before" date)
>                 -- an "good-until" date (the certificate is guaranteed by
>                         the issuer to be good from the issuer until
>                         the "good-until" date; it can't be revoked
>                         until after then.  No on-line checks would be
>                         needed until after this date.)
>                 -- an expiration date (i.e. the "not-after" date)
>                 This divides the life of a certificate into periods:
>                         not-yet-good
>                         definitely good (no need to check)
>                         probably good (and checkable)
>                         expired
>                 Standard SDSI (without on-line checks) has
>                         good-until = expiration (no checking)
>                 Standard X.509 has
>                         good-until = issue (always checking)
>         The new proposal gets the benefits of both models, more clearly...
> Comments??

Is the idea that once the "good-until" date has been passed, and you do
the check, that you get a new "good-until" date?



Ben Laurie            |Phone: +44 (181) 735 0686|  Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd,     |Apache-SSL author    http://www.apache-ssl.org/
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache