Re: Offline Root CA with valid CRL hierachie

[Steve Hanna <steve.hanna@xxxxxxx>]

Santosh Chokhani wrote:
> I am thoroughly confused.  First, what I am proposing will work
> if the RP is using indirect CRL.  I am making a modest assumption
> that an RP that can process indirect CRL can also process full and
> complete CRL.

Right. The primary benefit of pre-issued CRLs over indirect
CRLs or OCSP is that pre-issued CRLs work with any RP that
can process CRLs (any RFC 3280 compliant RP) whereas the
others require support for features not required by RFC 3280.

> In terms of OCSP, if your solution is OCSP only, I still
> think the approach I suggest will be a good way to supply the
> revocation information to the OCSP responders, specially if
> there are many of them or if you want to the convenience of
> distributing the revocation information over untrusted networks.

I don't know much about how people generally supply
revocation information to OCSP responders. Certainly,
I expect that your system would work fine. But I expect
that many OCSP responders would support indirect CRLs,
so that might also be a solution. And some people might
just use SSH. I don't know.

> How the OCSP Responder for off-line root revocation should be
> architected is a separate topic with its own nuances.

I didn't think we were discussing how to revoke a root.
As you say, that's a separate topic. Let's leave it aside
for now, unless there's some pressing need to address it.

-Steve