[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Two questions on delta-CRL

To: IETF-PXIX <ietf-pkix@xxxxxxx>
Subject: Re: Two questions on delta-CRL
From: Michael Ströder <michael@xxxxxxxxxxxx>
Date: Thu, 11 Jan 2001 18:54:53 +0100
Organization: stroeder.com
References: <> <>
Sender: michael@xxxxxxxxxx

Sam Schaen wrote:
> 
> I believe the requirement for issuing a complete CRL when a delta CRL is
> released makes sense.
> [..]
> The availability of a current full CRL also allows an application to
> resynchronize at any point.

I think this is the most important argument. An application might
loose the stored CRL or the CRL got corrupt by e.g. a system crash.
The damage for the application is limited to the loss of some
network-bandwidth. Resynchronization is simple.

E.g. if you issue a full CRL each day (24h) and delta-CRLs every
hour the application will have to obtain the last full CRL and every
delta CRL issued since then to get up to date (max. 24 accesses
instead of one).

If you want to relax the requirement of issuing full and delta CRLs
at the same time you have to mandate
1. that the CRL issuer stores all delta URLs from the last full CRL
and
2. you have to provide appropriate service access points to obtain
all necessary delta CRLs.

The application logic gets more complicated though.

Ciao, Michael.

Follow-Ups:
- Re: Two questions on delta-CRL
  - From: David A. Cooper

References:
- Two questions on delta-CRL
  - From: Denis Pinkas
- Re: Two questions on delta-CRL
  - From: Sam Schaen

Prev by Date: Re: Two questions on delta-CRL
Next by Date: RE: Basic Cert-2-Directory mapping question
Previous by thread: Re: Two questions on delta-CRL
Next by thread: Re: Two questions on delta-CRL
Index(es):
- Date
- Thread