problem is that consumer don't normally know that they want to check on a
particular merchant's CRL entry until they realize that they want to go to that
merchant site. in general, the consumer's aren't going to want keep a local
(usenet) database of all CRL entries (however they are distributed) ... so it is
more likely the ISP would have to keep all the entries ... pushed into a
database ... and let the consumer do an online database lookup of the CRL
entries (effectively the local ISP is keeping cached copy of all entries ... and
uses usenet as the distribution infrastructure).
sometimes, usenet can take several hrs to a day to propogate ... so the person
may still want to do an online transaction against the agency that issued a
certificate
In which case, the local ISP would be considered a "stand-in" ... maintaining a
negative file ... and returning positive answers if there isn't a match in the
negative file for the online transaction ... in which case the consumer may
still want to do another online transactions against the master file (located
somewhere in the internet).
Given that online transactions are being performed ... then it may even be more
straightforward to use domain name infrastructure to manage distribution and
management of cached entries. It has a somewhat better online transaction
semantics than usenet (already). However, since this is turning into online
transaction infrastructure ... it is then possible to eliminate both the
certificates and CRLs totally and just use the straight-foward domain name
infrastructure.
back again to certificates typically being superfulous and redundant in an
online infrastructure.
"Arnold G. Reinhold" <[EMAIL PROTECTED]> on 11/27/2000 07:53:35 AM
Please respond to "Arnold G. Reinhold" <[EMAIL PROTECTED]>
To: Lynn Wheeler/CA/FDMS/FDC@FDC
cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: Public Key Infrastructure: An Artifact...
At 11:17 AM -0800 11/23/2000, [EMAIL PROTECTED] wrote:
>Basically cetificates are an implementation of R/O partial replicated
>distributed data that were intended to address availability of
>information in a
>predominately offline environment.
>
>In the SSL server certificates, distribution of CRLs tend to create a problem
>for consumers because they aren't likely to want to see
>99.99999999999999999999%
>of the CRLs distributed and/or they aren't online at the time the CRLs are
>distributed (and/or if done via email would create a horrible spam issue ...
>every possible consumer in the world receiving email CRLs from every
>possile SSL
>server certificate issuing CA).
Sounds like a job for Usenet.
Arnold Reinhold
For help on using this list (especially unsubscribing), send a message to
"[EMAIL PROTECTED]" with one line of text: "help".
