[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: OCSP and CSL

To: "'Philip Hallam-Baker'" <pbaker@xxxxxxxxxxxx>
Subject: RE: OCSP and CSL
From: Peter Williams <peterw@xxxxxxxxxxxx>
Date: Wed, 26 Jan 2000 12:34:19 -0800
Cc: ietf-pkix@xxxxxxx

https://www.verisign.com/repository/CPS1.2/CPSCH9.HTM  FYI.

9.8.2 is fun.

-----Original Message-----

From: Philip Hallam-Baker [mailto:pbaker@verisign.com]
Sent: Wednesday, January 26, 2000 12:14 PM
To: 'Brian Ford'; Massimiliano Pala
Cc: ietf-pkix@imc.org
Subject: RE: OCSP and CSL

>The CSL which you describe seems to me like a subset of a CRL. 

This is my understanding of the matter too. I really don't like the
profusion
of acronyms for variants of the same structure. I have seen various
varieties
of CRL refered to by customers - ARL (as Authority revocation list and
Attribute
revocation list), XRLs (for cross certification), SRLs (Self signed
root), 
CCRLs (revocation lists for revocation lists), PRLs (Patented
proprietary 
revocation lists, OK I made the last one up but its funny).

I really don't think we should do anything to encourage more acronyms.

The idea of doing anything different with suspended certs is a bit wierd
methinks. If one is going to have a prayer of using suspended certs 
in the manner originally intended then all the junk certs had better be
in the same bag.

The big problem of suspended certs is unsuspension. Unless you are
paying 
for your PKI on a per cert issued basis rather than a per PKI seat basis
there really is not a lot of incentive to suspend rather than
aggressively
revoke and then selectively reissue.

Reversing a certificate suspension would be nice if if was likely to
work
reliably enough. I can imagine a specialist status processing server
(e.g.
OCSP) getting suspension right but the idea of end clients checking the
sigs on reams of CRLs to find out about unsuspension and getting it
right
is surreal.

There are relatively few cases in which authentication data needs to be
suspended (Alice is Alice as Ayn Rand followers would say). It tends to
be authorization data (Alice is allowed to log on) that tends to require
short term modification. Hence my interest in getting a handle on the
distributed authorization issue.

	Phill

Prev by Date: RE: OCSP and CSL
Next by Date: RE: Some Issues and observations with the son of 2459
Previous by thread: RE: OCSP and CSL
Next by thread: RE: OCSP and CSL
Index(es):
- Date
- Thread