In message <[EMAIL PROTECTED]>, Florian Weimer writes:
>
>Can't you strip the certificates which have expired from the CRL? (I
>know that with OpenPGP, you can't, but that's a different story.)
>
>OTOH, I wouldn't be concerned by the file size, although it's
>certainly annoying. I would be really worried that the contents of
>that CRL leaks sensitive information. At least from a privacy point
>of view, this is a big, big problem, especially if you include some
>indication which allows you to judge the validity of old signatures.
>
One can easily conceive of schemes that don't have such problems, such
as simply publishing the hash of revoked certificates, or using a Bloom
filter based on the hashes.
Of course, that doesn't mean that was how it was done...
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
