RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx t comments)

["Trevor Freeman" <trevorf@xxxxxxxxxxxxxxxxxxxxx>]

It is not the cost associated with generating the base CRL but the over
all system cost which is in question, e.g. the cost associated with the
distribution of the CRL with replicated distribution mechanisms. If you
publish a CRL to a directory, and that directory has multiple replicas,
then there is a knock on effect when one instance of the directory is
updated. The update is then replicated to all other instances. If you
are not using a replicated directory, you may be using a replicated web
server, which will have the same problem. Then there are bandwidth
implications. Even in this day and age, bandwidth may be limited, and
downloading a full CRL has a cost associated with it.


-----Original Message-----
From: Eric Rescorla [mailto:ekr@xxxxxxxxxxxxxxx] 
Sent: Sunday, April 22, 2001 6:20 PM
To: Ambarish Malpani
Cc: 'Housley, Russ'; ietf-pkix@xxxxxxx
Subject: Re: delta-CRLs (was Re: Last
Call:draft-ietf-pkix-new-part1-06.tx t comments)

Ambarish Malpani <ambarish@xxxxxxxxxxxx> writes:

> Russ, the problem with this is that CAs might be unwilling to issue
> delta-CRLs because issuing a full CRL every time is too
> burdensome.
Ambarish, could you explain why the cost of issuing a full
CRL is too burdensome? Surely it's not the cost of the signature
itself you're concerned with.

-Ekr