[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Offline Root CA with valid CRL hierachie

To: "Ambarish Malpani" <ambarish@xxxxxxxxxxx>
Subject: RE: Offline Root CA with valid CRL hierachie
From: lynn.wheeler@xxxxxxxxxxxxx
Date: Tue, 31 Dec 2002 16:23:01 -0700
Cc: "David P. Kemp" <dpkemp@xxxxxxxxxxxxxx>, ietf-pkix@xxxxxxx, "Mitchell Arnone" <marnone@xxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


note that this is one of the places that it would become difficult to turn
the current manufactored certificate infrastructure for SSL domain name
certificates into a PKI.

The customer of a SSL domain name CA are all the web servers in the world.
The relying-parties are (at least) every browser in the world (aka every
client in the world potentially having multiple browsers). "Every time"
would in effect be everytime a SSL/HTTPS session anywhere in the world was
ever initiated .... aka everytime a browser initiated an SSL/HTTPS session
there potentially would require a CRL fetch (assuming a pull paradigm;
assuming a push paradigm then every CA would have to transmit their CRLs to
every possible browser in the world .... with every possible client in the
world possibly having multiple different browsers).

Also .... there is some difficulty in a CA "telling" every RP in such an
infrastructure anything .... since actual RPs are infrequently
predetermined. Possible sidestep is some sort of browser intialization
informating the "human" operator of the browser some text extracted from
each pre-installed root certificate.

random ref:
http://www.garlic.com/~lynn/subtopic.html#sslcerts

--
Internet trivia, 20th anv: http://www.garlic.com/~lynn/rfcietff.htm


ambarish@xxxxxxxxxxx on 12/31/2002 2:52 pm wrote:


Hi Mitchell,
    As a CA, you can tell the RP (relying party) that it is
responsible for fetching the latest CRL. If you then give it
no way of knowing when to get a new CRL, any serious security
client would keep checking for a new CRL *every* time it needed
to validate a certificate/certification path.

As a root CA, it is very unlikely that your directory could handle
the load you would get from every client trying to get your latest
CRL for every certificate that chains up to you (*distribution* is
the real scalability problem with CRLs - as opposed to OCSP - not
generation).

Regards,
Ambarish

---------------------------------------------------------------------
Ambarish Malpani                                         650.759.9045
Malpani Consulting Services                      ambarish@xxxxxxxxxxx
http://www.malpani.biz

Prev by Date: RE: Offline Root CA with valid CRL hierachie
Next by Date: RE: Offline Root CA with valid CRL hierachie
Previous by thread: RE: Offline Root CA with valid CRL hierachie
Next by thread: RE: Offline Root CA with valid CRL hierachie
Index(es):
- Date
- Thread