[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Current status of CRL validation ?

To: Eric Norman <ejnorman@xxxxxxxxxxxxx>
Subject: Re: Current status of CRL validation ?
From: Ed Gerck <egerck@xxxxxxx>
Date: Wed, 31 Mar 2004 16:27:08 -0800
Cc: PKIX list <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Eric Norman wrote:
> 
> On Tue, 30 Mar 2004, Ed Gerck wrote:
> 
> > Moreover, PKIX/X.509 revocation is a "will" to revoke but not an actual
> > revocation. Few recognize, as you have now hit, that cert revocation
> > in PKIX/X.509 is a solution to a non-existent problem ... while the real
> > problem is left utterly unsolved.
> 
> As far as this reader knows, the real problem is also unstated.  Might I
> be reminded about just what the "real problem" is?

The real problem is to make the cert unusable when revoked. For that,
one should also not need to rely on any third-party or users. In particular, 
I believe that trusting user intervention (even to update software) is a 
very weak assumption.

It's apparent in this thread that revoking by reference (the current
method with CRLs and OCSPs) has some unsolved and unsolvable problems.
To consider them a "feature" is the first stage of problem solving.
My comments on this, practically the same since '97, is that we should 
move to the second stage.

Cheers,
Ed Gerck

References:
- Re: Current status of CRL validation ?
  - From: Eric Norman

Prev by Date: Re: Current status of CRL validation ?
Next by Date: PKI International Consortium
Previous by thread: Re: Current status of CRL validation ?
Next by thread: Re: Current status of CRL validation ?
Index(es):
- Date
- Thread