[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Removing expired certificates from CRLs.....

To: "IETF-PKIX" <ietf-pkix@xxxxxxx>
Subject: RE: Removing expired certificates from CRLs.....
From: "Michael Myers" <myers@xxxxxxxxxxxxx>
Date: Mon, 10 Sep 2001 14:27:37 -0700
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

All,

I think a unique extension creates the least impact.

More broadly though, what's really bothering me is my sense that we're
backing into the notion of a 1-1 between CRLs and online status mechanisms.

Assume an environment that both publishes CRLs and offers OCSP-based
services against the same set of certificates.  What if:

a) The CA receives a revocation request at T1;

b) A database state variable is flipped at T1+N;

c) An OCSP request is received at T1+N+M;

d) An OCSP response is transmitted at T1+N+M+K;

e) Yet the next CRL cycle won't run (i.e. the cron
   job won't fire) until T1+X where X >> (N+M+K).

Thus relying parties are enabled to pick and choose between CRLs or OCSP
depending on how it might benefit their argument for remedy under digital
signature laws.

Thoughts, anyone?

Mike




Michael Myers
t: +415.819.1362
e: mailto:mike@xxxxxxxxxxxxxxxxxxxxxx
w: http://www.traceroutesecurity.com g

Follow-Ups:
- Re: Removing expired certificates from CRLs.....
  - From: Denis Pinkas

References:
- RE: Removing expired certificates from CRLs.....
  - From: Sharon Boeyen

Prev by Date: RE: Removing expired certificates from CRLs.....
Next by Date: Re: XACML OID tag?
Previous by thread: RE: Removing expired certificates from CRLs.....
Next by thread: Re: Removing expired certificates from CRLs.....
Index(es):
- Date
- Thread