[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments)

To: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>, ietf-pkix@xxxxxxx
Subject: Re: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments)
From: Paul Hoffman / IMC <phoffman@xxxxxxx>
Date: Mon, 23 Apr 2001 11:51:18 -0700
In-reply-to: <>
References: <><><>

At 12:50 PM -0400 4/23/01, David P. Kemp wrote:

I'll refer you to Russ' message of Jan 18 "Re: Two questions on delta-CRL":
  "I think we may be splitting hairs on the term "issue". I am not
   sure that I would consider a CRL that was generated but not
   distributed to be "issued".

I think we are splitting hairs on what "distributed" means.

The problem is not that it is too burdensome for a CA to have a cron job
that sweeps the database and signs a full CRL every time it signs a delta.
The problem is that once the full CRL is signed, it is transmitted across
the network to directory/database/repository replicas and to clients.

"Transmitted"? The only common form of "push" on the Internet is email, and I know of no CRL-over-email distribution schemes. Much more common is that the CA simply puts the newly-issued CRL on its FTP/web server and waits for people who want the CRL to come to them.

Some people have automated jobs that mirror the CRLs every day or even more often; these folks have already calculated the cost of mirroring so often (and of not using delta CRLs).

If you are a PKI provider (as I am), and you have to provision 3.5
million subscribers, the cost of that provisioning with full CRLs is
prohibitive, whereas the cost of provisioning with deltas is not.

You do not have to provision them with the latest CRL; you simply need to let them get the latest CRL when they feel like it. Or, better yet, tell them to get the delta CRL; that is why you issued it, yes?

If Russ (i.e. the PKIX WG) would make a clear statement that "issue"
means "sign and place in one repository", vice "sign and distribute
to all RPs", then I would have no problem with the current MUST
requirement.  But if a CRL is not deemed to be "issued" unless it is
available to all, then I strongly agree with Trevor, David Cross, and
Ambarish that the requirement to "issue" a full CRL for every delta
must be relaxed.

We agree here, other than I would say "issue" means "sign and place in at least all the repositories that are pointed to in any CRL Distribution Point URI."

--Paul Hoffman, Director
--Internet Mail Consortium

Follow-Ups:
- Re: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txtcomments)
  - From: David P. Kemp

References:
- RE: delta-CRLs (was Re: Last Call:draft-ietf-pkix-new-part1-06.tx tcomments)
  - From: Ambarish Malpani
- RE: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments)
  - From: Paul Hoffman / IMC
- Re: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments)
  - From: David P. Kemp

Prev by Date: RE: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments)
Next by Date: RE: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments)
Previous by thread: RE: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments)
Next by thread: Re: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txtcomments)
Index(es):
- Date
- Thread