RE: Offline Root CA with valid CRL hierachie

["Santosh Chokhani" <chokhani@xxxxxxxxxxxx>]

Mitch:

OCSP for Root raises its own issue in terms of Responder trust and responder
revocation (if a certificate based approach is used (vice trust anchor))
checking.

-----Original Message-----
From: Mitchell Arnone [mailto:marnone@xxxxxxxxxxxxxxxxxxxxxx] 
Sent: Friday, January 03, 2003 2:11 PM
To: Al Arsenault; Santosh Chokhani; ietf-pkix@xxxxxxx
Subject: Re: Offline Root CA with valid CRL hierachie


All points raised on this issue have been well stated.  I do believe that 
Dave's approach could work but my concern is that I too do not see any real 
advantage to it.  The 30 day CRL might be OK if the directories are secured 
and scaled properly and the 30 1day CRLs might be OK if the stack of 
pre-generated CRLs are secured and published properly.  I just think there 
is a better solution the likes of which others on this list have already 
commented.  Personally I like the OCSP approach but even that does not 
mitigate the need for an effective CRL publishing strategy.

Thanks

Mitch

At 01:11 PM 1/3/2003, Al Arsenault wrote:
>I'm not saying Dave's approach couldn't work; it certainly could.  And 
>it wouldn't significantly reduce security if the pre-generated CRLs 
>were properly controlled through physical/procedural means.  I'm just 
>saying that I don't see any real big advantage to it.

***********************************************************
Mitchell Arnone
Managing Consultant
SchlumbergerSema
Technical Consulting Practice, Northeast Region
Network & Infrastructure Solutions

marnone@xxxxxxxxxxxxxxxxxxxxxx
www.slb.com/nws

35 Waterview Blvd.
Suite 210
Parsippany, NJ 07054-1200
USA

Phone  +1 410-579-8691
Mobile  +1 443-864-1590