Re: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments)

["David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>]

Paul,

I'll refer you to Russ' message of Jan 18 "Re: Two questions on delta-CRL":

  "I think we may be splitting hairs on the term "issue". I am not
   sure that I would consider a CRL that was generated but not
   distributed to be "issued".

The problem is not that it is too burdensome for a CA to have a cron job
that sweeps the database and signs a full CRL every time it signs a delta.
The problem is that once the full CRL is signed, it is transmitted across
the network to directory/database/repository replicas and to clients.
If you are a PKI provider (as I am), and you have to provision 3.5
million subscribers, the cost of that provisioning with full CRLs is
prohibitive, whereas the cost of provisioning with deltas is not.

If Russ (i.e. the PKIX WG) would make a clear statement that "issue"
means "sign and place in one repository", vice "sign and distribute
to all RPs", then I would have no problem with the current MUST
requirement.  But if a CRL is not deemed to be "issued" unless it is
available to all, then I strongly agree with Trevor, David Cross, and
Ambarish that the requirement to "issue" a full CRL for every delta
must be relaxed.

Dave K




Paul Hoffman / IMC wrote:
> 
> At 6:03 PM -0700 4/21/01, Ambarish Malpani wrote:
> >Russ, the problem with this is that CAs might be unwilling to issue
> >delta-CRLs because issuing a full CRL every time is too
> >burdensome.
> 
> Could you describe how it is "too burdensome"? Maybe I'm being naive,
> not being a CA, but asking a CA to sign a second document (the full
> CRL) at the time that it signs the first document (the delta-CRL)
> really doesn't seem that onerous.
> 
> I think the current requirement is fine.
> 
> --Paul Hoffman, Director
> --Internet Mail Consortium