[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Offline Root CA with valid CRL hierachie

To: "Mitchell Arnone" <marnone@xxxxxxxxxxxxxxxxxxxxxx>, "Al Arsenault" <awa1@xxxxxxxxxxx>, "Santosh Chokhani" <chokhani@xxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: RE: Offline Root CA with valid CRL hierachie
From: "Ambarish Malpani" <ambarish@xxxxxxxxxxx>
Date: Fri, 3 Jan 2003 13:20:49 -0800
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


Hi Mitch,
    With OCSP, you can get around most of the CRL publishing issues.
One of the features I added to the Valicert OCSP responder (VA), was
to allow it (under operator control), to accept expired CRLs for a
fixed amount of time.

If the CA is operating the VA, it can issue a single CRL
and have the VA trust it for as long as he wishes to - for example
issue the CRL for a day, but have the responder trust it for 30. If
a new revocation needs to happen, you publish the new CRL to the VA,
which now starts trusting the new CRL (and no longer depends on the
old one).

It is also perfectly possible to have the VA run on its own data and
not rely on the CA software for revocation data at all - I know at
least one CA that chose to operate in that way (even though they
were operating both the CA and the VA themselves).

Regards,
Ambarish


---------------------------------------------------------------------
Ambarish Malpani                                         650.759.9045
Malpani Consulting Services                      ambarish@xxxxxxxxxxx
http://www.malpani.biz



> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx
> [mailto:owner-ietf-pkix@xxxxxxxxxxxx]On Behalf Of Mitchell Arnone
> Sent: Friday, January 03, 2003 11:11 AM
> To: Al Arsenault; Santosh Chokhani; ietf-pkix@xxxxxxx
> Subject: Re: Offline Root CA with valid CRL hierachie
>
>
>
> All points raised on this issue have been well stated.  I do believe that
> Dave's approach could work but my concern is that I too do not
> see any real
> advantage to it.  The 30 day CRL might be OK if the directories
> are secured
> and scaled properly and the 30 1day CRLs might be OK if the stack of
> pre-generated CRLs are secured and published properly.  I just
> think there
> is a better solution the likes of which others on this list have already
> commented.  Personally I like the OCSP approach but even that does not
> mitigate the need for an effective CRL publishing strategy.
>
> Thanks
>
> Mitch
>
> At 01:11 PM 1/3/2003, Al Arsenault wrote:
> >I'm not saying Dave's approach couldn't work; it certainly could.  And it
> >wouldn't significantly reduce security if the pre-generated CRLs were
> >properly controlled through physical/procedural means.  I'm just
> saying that
> >I don't see any real big advantage to it.
>
> ***********************************************************
> Mitchell Arnone
> Managing Consultant
> SchlumbergerSema
> Technical Consulting Practice, Northeast Region
> Network & Infrastructure Solutions
>
> marnone@xxxxxxxxxxxxxxxxxxxxxx
> www.slb.com/nws
>
> 35 Waterview Blvd.
> Suite 210
> Parsippany, NJ 07054-1200
> USA
>
> Phone  +1 410-579-8691
> Mobile  +1 443-864-1590
>
>

References:
- Re: Offline Root CA with valid CRL hierachie
  - From: Mitchell Arnone

Prev by Date: RE: Offline Root CA with valid CRL hierachie
Next by Date: "Web Services" PKI RFC
Previous by thread: RE: Offline Root CA with valid CRL hierachie
Next by thread: "Web Services" PKI RFC
Index(es):
- Date
- Thread