On Sat, Jul 31, 2010 at 12:32:39PM -0400, Perry E. Metzger wrote: > 1 If you can do an online check for the validity of a key, there is no > need for a long-lived signed certificate, since you could simply ask > a database in real time whether the holder of the key is authorized > to perform some action. The signed certificate is completely > superfluous. > > If you can't do an online check, you have no practical form of > revocation, so a long-lived signed certificate is unacceptable > anyway.
But, if you query an online database, how do you authenticate its answer? If you use a key for that or SSL certificate, I see a chicken-and-egg problem. -- Met vriendelijke groet / with kind regards, Guus Sliepen <g...@sliepen.org>
Description: Digital signature