CRLs for OCSP

["Michael Myers" <myers@xxxxxxxxxxxxx>]

Ambarish,

Actually I'm far less concerned about CRLs per se than the timeliness issue
that Carlisle and I discussed a few years back when he and I argued the
notions underlying OCSP.  What concerns me are the systems-level
requirements that derive from assuming CRLs are the only and best means to
deliver OCSP-based (or equivalent) services.

It seems to me we are heading in that direction.  That's not necessarily a
bad thing.  I can see that in some instances CRLs are sufficient, especially
in very large-scale commercial deployments involving ad-hoc interactions
between autonomous trust domains.  I can also see that in certain
deployments, high-frequency deltas can effectively address the timeliness
requirements OCSP might otherwise satisfy.

Yet a requirement on a more closed trust domain that it MUST produce a CRL
in order to deliver OCSP-based services seems to me to unduly burdensome.
Further, the exchange of equivalent information in support of delegated
validation (vice revocation) still remains an open issue in this context.
Lastly, there exists obvious issues when the periodicity of CRLs (as
generally practiced) is put up against the aperiodic and on-demand nature of
OCSP (or equivalent).

So, basically, I just think there's some issues to discuss.  As I've heard
repeatedly in the IETF, current market practices and shipping products
should not be permitted to constrain our consideration of the best technical
solution going forward.  I remain especially concerned that several
under-examined systems-level issues will cause problems down the road.
These are easily predictable today; we should be developing answers in a
concomitant fashion.


Mike

Michael Myers
t: +415.819.1362
e: mailto:mike@xxxxxxxxxxxxxxxxxxxxxx
w: http://www.traceroutesecurity.com