Delta CRL concept is lot simpler than folks make out it to be. If a compliant client takes a delta and a base that is referenced by the delta or a later base, it has the current full picture.
As Sharon said, requiring a full CRL defeats the delta purpose.
Again, once you got the referenced or later base and apply the delta to it, you have the current stuff.
-----Original Message-----
From: Michael Myers [mailto:myers@xxxxxxxxxxxxx]
Sent: Monday, April 23, 2001 12:48 PM
To: Santosh Chokhani; Russ Housley; ietf-pkix@xxxxxxx
Subject: RE: delta-CRLs (was Re: Last
Call:draft-ietf-pkix-new-part1-06.txt comments)
Santosh,
I disagree. I remain concerned about divergence from the standard database
maintenance practice of producing a "full" and a set of "deltas". Towards
support of non-repudiation, I would expect that most who wish to make a case
on the basis of CRLs would prefer to make their case on the basis of a full
CRL.
At issue I believe is the notion that one MUST produce a full CRL every time
a delta is produced. I suggest that this lock-step production process does
indeed needlessly impact enterprise infrastructures as Trevor observed.
Russ, I propose as a middle ground text establishing that:
1. full CRLs are a SHALL in all cases, thus contributing to
interoperability;
2. that the periods of production of a full CRL and its corresponding deltas
MAY be identical, thus yeilding the intent of the current text; but
4. when practiced, the production of deltas SHALL at a minimum be less than
that of the period of production of the corresponding full CRL, thus
enabling systems-level tuning to achieve a locally acceptable balance
between timeliness, effective non-repudiation support, generally accepted
database maintainence principles and infrastructure overhead.
And of course, deltas are a MAY.
I'll write this up as a drop-in to the current text depending on how
consensus flows on the proposal.
Mike
-----Original Message-----
From: Santosh Chokhani [mailto:chokhani@xxxxxxxxxxxx]
Sent: Monday, April 23, 2001 8:45 AM
To: Russ Housley; ietf-pkix@xxxxxxx
Subject: RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.txt
comments)
I have been quite on this. I am firmly in favor of NOT having the
requirement (i.e., delete the requirement): "CA post a full CRL whenever a
delta CRL is issued".
-----Original Message-----
From: Russ Housley [mailto:rhousley@xxxxxxxxxxxxxxx]
Sent: Monday, April 23, 2001 10:27 AM
To: ietf-pkix@xxxxxxx
Subject: RE: delta-CRLs (was Re: Last
Call:draft-ietf-pkix-new-part1-06.txt comments)
All:
Trevor, Ambarish, Denis, David, and others have proposed the removal of the
requirement that CAs post a full CRL whenever a delta-CRL is
posted. Trevor's suggestion that the consequences of a CA posting a
delta-CRL without posting a full CRL could be discussed in a single
paragraph in the Security Considerations section.
Paul and Mike have suggested that the current text is fine.
A few people have contributed to the thread but not made their own position
clear. Perhaps they are only academically interested. Or, perhaps the
dialogue is helping them reach their own conclusion. I do not
know. Regardless, most people have been silent on this issue.
I would like one of the proponents for removing the requirement to suggest
alternative text, and I would like to hear from more people about the
proposed revision.
We are in Working Group Last Call. I would like to reach consensus on this
issue, make the necessary change (if any), and get the document to the
IESG. Many other working groups are waiting for our document.
Russ