RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt comments)

["Michael Myers" <myers@xxxxxxxxxxxxx>]

Ambarish, Paul:

I must second Paul's concern.

If you work through what it takes for to implement both "full" and "delta"
CRL capabilities (i.e. CRON-driven sweeps across a database, formatting the
relevant info into 2459-compliant syntax, signing the result and pushing it
out to wherever or whomever) the software-level requirements to produce a
delta are pretty close to identical to those for a full.  Basically, it's
just another crontab entry with perhaps a different period.

But another thing bothers me in this dialog.  The notion of a full
backup/baseline in conjunction with (perhaps) more frequent deltas is a very
well known and highly advised practice, for an obvious set of reasons.  We
should be thinking more about how this general principle applies in this
instance.  PKI is not so unique in its nature that this standard database
maintenance practice does not apply.

Mike

> -----Original Message-----
> From: Paul Hoffman / IMC [mailto:phoffman@xxxxxxx]
> Sent: Sunday, April 22, 2001 7:06 AM
> To: ietf-pkix@xxxxxxx
> Subject: RE: delta-CRLs (was Re: Last
> Call:draft-ietf-pkix-new-part1-06.txt comments)
>
>
> At 6:03 PM -0700 4/21/01, Ambarish Malpani wrote:
> >Russ, the problem with this is that CAs might be unwilling to issue
> >delta-CRLs because issuing a full CRL every time is too
> >burdensome.
>
> Could you describe how it is "too burdensome"? Maybe I'm being naive,
> not being a CA, but asking a CA to sign a second document (the full
> CRL) at the time that it signs the first document (the delta-CRL)
> really doesn't seem that onerous.
>
> I think the current requirement is fine.
>
> --Paul Hoffman, Director
> --Internet Mail Consortium
>