[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Revocation, etc...
Ron Rivest wrote:
>
> I have written a paper of potential interest to the SPKI/SDSI group,
> which is posted on my web site. See
> http://theory.lcs.mit.edu/~rivest/publications.html
> where the first paper listed is entitled,
> "Can we eliminate revocation lists?"
>
> The approach proposed there extends the SPKI/SDSI model in two directions:
> -- explicitly describing how key compromise can be handled
> -- giving certificates THREE dates:
> -- an issue date (i.e. the "not-before" date)
> -- an "good-until" date (the certificate is guaranteed by
> the issuer to be good from the issuer until
> the "good-until" date; it can't be revoked
> until after then. No on-line checks would be
> needed until after this date.)
> -- an expiration date (i.e. the "not-after" date)
>
> This divides the life of a certificate into periods:
> not-yet-good
> definitely good (no need to check)
> probably good (and checkable)
> expired
>
> Standard SDSI (without on-line checks) has
> good-until = expiration (no checking)
>
> Standard X.509 has
> good-until = issue (always checking)
>
> The new proposal gets the benefits of both models, more clearly...
>
> Comments??
Is the idea that once the "good-until" date has been passed, and you do
the check, that you get a new "good-until" date?
Cheers,
Ben.
--
Ben Laurie |Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/
London, England. |"Apache: TDG" http://www.ora.com/catalog/apache
References: