RE: Removing expired certificates from CRLs.....

[Ryan Hurst <ryanh@xxxxxxxxxxxx>]

Michael --
	Your point that there is not necessarily a 1-1 relationship is
valid, however it is not uncommon for a responder to receive its revocation
information from CRLs and in this case there could be such a relationship.

Additionally since the overall goal in this case is the same for both OCSP
and CRLs; why not just use them same model to solve the problem? 

Ryan

-----Original Message-----
From: Michael Myers [mailto:myers@xxxxxxxxxxxxx] 
Sent: Monday, September 10, 2001 2:28 PM
To: IETF-PKIX
Subject: RE: Removing expired certificates from CRLs.....


All,

I think a unique extension creates the least impact.

More broadly though, what's really bothering me is my sense that we're
backing into the notion of a 1-1 between CRLs and online status mechanisms.

Assume an environment that both publishes CRLs and offers OCSP-based
services against the same set of certificates.  What if:

a) The CA receives a revocation request at T1;

b) A database state variable is flipped at T1+N;

c) An OCSP request is received at T1+N+M;

d) An OCSP response is transmitted at T1+N+M+K;

e) Yet the next CRL cycle won't run (i.e. the cron
   job won't fire) until T1+X where X >> (N+M+K).

Thus relying parties are enabled to pick and choose between CRLs or OCSP
depending on how it might benefit their argument for remedy under digital
signature laws.

Thoughts, anyone?

Mike




Michael Myers
t: +415.819.1362
e: mailto:mike@xxxxxxxxxxxxxxxxxxxxxx
w: http://www.traceroutesecurity.com g