[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx tcomments)
Hi Eric,
I don't have any problems with issuing new CRLs every few
seconds - unfortunately, some of the CA vendors do :-)
Anyway, the problem people have with issuing full CRLs at every
revocation is the amount of extra processing they do with the
CRL - e.g. back it up in their database, create some kind of
audit trail, lookup all the revoked certificates in their
database, etc.
I have heard more than 1 CA vendor balk at the idea of issuing a
new CRL for every revocation event, so I must believe that this is
a pretty expensive operation.
Regards,
Ambarish
---------------------------------------------------------------------
Ambarish Malpani
Architect 650.567.5457
ValiCert, Inc. ambarish@xxxxxxxxxxxx
339 N. Bernardo Ave. http://www.valicert.com
Mountain View, CA 94043
> -----Original Message-----
> From: Eric Rescorla [mailto:ekr@xxxxxxxxxxxxxxx]
> Sent: Sunday, April 22, 2001 6:20 PM
> To: Ambarish Malpani
> Cc: 'Housley, Russ'; ietf-pkix@xxxxxxx
> Subject: Re: delta-CRLs (was Re: Last
> Call:draft-ietf-pkix-new-part1-06.tx t comments)
>
>
> Ambarish Malpani <ambarish@xxxxxxxxxxxx> writes:
>
> > Russ, the problem with this is that CAs might be unwilling to issue
> > delta-CRLs because issuing a full CRL every time is too
> > burdensome.
> Ambarish, could you explain why the cost of issuing a full
> CRL is too burdensome? Surely it's not the cost of the signature
> itself you're concerned with.
>
> -Ekr
>