Re: Offline Root CA with valid CRL hierachie

[Mitchell Arnone <marnone@xxxxxxxxxxxxxxxxxxxxxx>]

All points raised on this issue have been well stated.  I do believe that 
Dave's approach could work but my concern is that I too do not see any real 
advantage to it.  The 30 day CRL might be OK if the directories are secured 
and scaled properly and the 30 1day CRLs might be OK if the stack of 
pre-generated CRLs are secured and published properly.  I just think there 
is a better solution the likes of which others on this list have already 
commented.  Personally I like the OCSP approach but even that does not 
mitigate the need for an effective CRL publishing strategy.

Thanks

Mitch

At 01:11 PM 1/3/2003, Al Arsenault wrote:
> I'm not saying Dave's approach couldn't work; it certainly could.  And it
> wouldn't significantly reduce security if the pre-generated CRLs were
> properly controlled through physical/procedural means.  I'm just saying that
> I don't see any real big advantage to it.

***********************************************************
Mitchell Arnone
Managing Consultant
SchlumbergerSema
Technical Consulting Practice, Northeast Region
Network & Infrastructure Solutions

marnone@xxxxxxxxxxxxxxxxxxxxxx
www.slb.com/nws

35 Waterview Blvd.
Suite 210
Parsippany, NJ 07054-1200
USA

Phone  +1 410-579-8691
Mobile  +1 443-864-1590