>Technically speaking it's not really supported by X.509 either because
CRL's
>don't really work (see for example the FC'99 proceedings for more details
on
>this, along with suggestions on how to fix it).
I think you are probably refering to Ron's paper in FC'98. I presented an
alternative and somewhat radical architecture at RSA'99 which demonstrated
that it was practical to distribute revocation info in real time for a
population of 5 billion certs.
There is also the IETF work by Mike Myers and myself on OCSP and OCSP-X
respectively.
> This isn't a problem with Outlook or MS (for once :-) but a
>problem with the whole CRL concept.
Agreed, I see CRLs as a draft architecture that was good enough for circa
1990 but not so hot come deployment a decade later. But it is quite
possible
to provide a workable solution in context.
> An option which I like (because
>it's efficient and fast) is to have a BIND-style daemon which snarfs
CRL's
>from wherever[0] every now and then and answers validity check queries
very
>quickly (millisecond response time, so the user won't even notice it's
>happened). I hope to have a paper on this out RSN.
I will send you the paper I wrote for RSA '99. I describe precisely that
type
of architecture. The argument I make is that we should migrate to that
type
of architecture in the long term. OCSP provides a very usefull staging
ground.
Phill
smime.p7s
