Re: Comments on

[Peter Williams <peter@xxxxxxxxxxxx>]

Arsenault, Al W. wrote:

>
>
> This may be a matter of semantics, but we'll see.  I believe that there is a
> need for a CA, RA, other entity to send out "unsolicited response" messages.
>  That is, a CA may want to send a CRLannounce message to users, even though
> users have not asked for them, because local policy dictates that you push a
> new CRL out whenever a key has been determined to be compromised.  If one
> regards such messages to be "response" messages, then the current PKIX-CMP
> is acceptable.  If one regards such a message to be a "distribution message
> that was not a request or response", then that concept needs to be
> supported.


We should be clear that PKIX-CMP is not a scheme for managing certificate
or CRL distribution. This is the function of part II wherein operational
requirements are considered; different solutions are part of
the concept of part II, precisly as operational enviornments are
so different even on the public internet.

We have already discussed CRL push a few times. Many parties
are working on models/systems for CRL push over microsoft and marimba channels.
One expects these underlying transports to become true (versus simulated) push
over
time...

One can imagine IETF standardizing in part II a set of message formats
for CRL push which are transport independent, and perhaps profile
for transport over modern channel-distribution technologies, much
as PKIX-3 specifies information objects, and a number of
transport technologies.