* Steven M. Bellovin: > In message <[EMAIL PROTECTED]>, Florian Weimer writes: > >> >>Can't you strip the certificates which have expired from the CRL? (I >>know that with OpenPGP, you can't, but that's a different story.) >> >>OTOH, I wouldn't be concerned by the file size, although it's >>certainly annoying. I would be really worried that the contents of >>that CRL leaks sensitive information. At least from a privacy point >>of view, this is a big, big problem, especially if you include some >>indication which allows you to judge the validity of old signatures. >> > > One can easily conceive of schemes that don't have such problems, such > as simply publishing the hash of revoked certificates, or using a Bloom > filter based on the hashes.
This doesn't completely eliminate the data leak, as a long as the certificates were used in end-to-end communications. Analysis for relative outsiders becomes harder, though. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
