Ian G wrote, On 2009-01-08 16:42: > On 9/1/09 00:46, Ben Bucksch wrote: >>> Certs expire for the same reason that credit cards do. Do you >>> understand why that is? >> No, quite frankly, I do not. >> >> First off, my credit cards (VISA, MasterCard) are valid until Jan 1, 2013. > > > I had to think about it too ... I think it is because in the old days, > the retailers had little pieces of paper with all the "revoked" credit > card numbers. Shop assistants were paid a reward for spotting the bad > credit cards. Back in the early days (I remember being trained on these > papers, we kept them under the register) there were around 100-1000 > numbers on them.
In the mid-1960s, when I was a lad, my mother took me shopping with her. When time came to pay for her purchases, she pulled out her shiny brand new credit card and presented it to the cashier. The cashier looked abjectly terrified. She called her supervisor over to help her through the process. They pulled a book out of a drawer below the cash register. It was about the same size as the local phone book, and printed on the same sort of very thin slightly gray paper as used in phone books, but it was much thicker. She put it down and began to flip through the pages. I saw that each page had numerous columns, all containing numbers. The top outer corners of the pages showed the minimum and maximum number on each page, to make it easier to find the right page to search, just as a dictionary typically shows the alphabetically minimum and maximum words on each page in the upper corners. She found the right page and then scanned it in detail. When she was satisfied that the card number was not present, she asked her supervisor to double check and confirm it. Then they closed the book and on its cover I saw the words "Revoked Card List" and the month and year for which is was current. They published a new phone book like that for every participating merchant every month. Each book had the numbers of ALL unexpired revoked cards for the entire world (which was limited to parts of North America at that time for that issuer). The single most important thing that the cashier was required to check was the expiration date on the card. Cashiers were required to mark on the transaction slip that they had checked the expiration date. Being expired meant that the number would NOT be present in the RCL book, even if the card had been revoked before it expired. Expiration kept the size of that RCL book manageable. CRLs are the modern analog of those old RCLs, and OCSP is the analog of those ubiquitous card-swipe devices that contact the issuer and get approval. Despite this, many CAs still prefer to issue CRLs over using OCSP, perhaps because the cost of publishing CRLs is so much less than the cost of publishing those old phone-book sized documents. Also, as Julien has pointed out, for servers doing high volumes of revocation checking, having a full CRL locally is much more efficient than using OCSP for every cert. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto