RE: delta-CRLs (was Re: LastCall:draft-ietf-pkix-new-part1-06.txt comments)

["David Cross" <dcross@xxxxxxxxxxxxx>]

Sorry, but to be blunt, how is this any different from an OCSP aware
client from a CRL aware client?

The CA operator knows and anticipates the needs of clients and builds a
publication schedule and revocation architecture accordingly.
 
David B. Cross
 



-----Original Message-----
From: Paul Hoffman / IMC [mailto:phoffman@xxxxxxx] 
Sent: Monday, April 23, 2001 4:21 PM
To: Ambarish Malpani; ietf-pkix@xxxxxxx
Subject: RE: delta-CRLs (was Re:
LastCall:draft-ietf-pkix-new-part1-06.txt comments)


At 1:02 PM -0700 4/23/01, Ambarish Malpani wrote:
>     Even if you are requiring clients to pull the CRLs from your 
>directory, you still need to have enough bandwidth to and replication 
>of the directory to support all the clients who need to pull the new 
>CRL every time it is issued.

The alternative is that some users would have a different (that is, 
better) list of what is in the CRL than others, and those others 
would have no way of knowing that their list of revoked certificates 
is incomplete. That seems pretty awful to me. To be a bit crass, if 
you don't have the bandwidth, force your users use delta CRLs, or 
don't be a CA.

If for some reason the wording in son-of-2459 goes towards not 
requiring a new CRL being issued, there also needs to be a fairly 
stern warning both in the delta CRL section and in the security 
considerations section saying that some users will have different 
views of what certificates have been revoked, and that they won't 
know it.

--Paul Hoffman, Director
--Internet Mail Consortium