Ian Grigg wrote:
Nelson B wrote:
One reason to issue certs with short expiration times (e.g. only
a year, even for keys that are thought to require 50+ years to
break) is to mitigate the amount of information that must be carried
in the issuer's CRL.
Aha! I always wondered about that. It occurred
to me that selling 1 year certs was simply and
solely a revenue stream, when the cost of production
was the same for any length. Now we have a reason,
which is to keep the CRLs short. Makes sense.
(It's not a particularly good reason, but at least
it's a fair reason. Revocation is probably costly.)
I have been told by a CA employee that it is the single most costly
aspect of CA operation.
I think it is considered good practice to carry a cert on
a CRL for some small time after it expires, but not continually
thereafter.
All this stuff was learned from the credit card industry YEARS before
there were PKI certs and CRLs and OCSP.
When I was a little boy (and dinosaurs roamed the earth), my mother
took me to the local discount store and bought something with her
new-fangled credit card. The sales clerk took a large paperback
book (about the size of the phone book) out from under the counter.
It was the RCL, the Revoked Cards List, published monthly IIRC.
Every page had numerous columns of credit card numbers, sorted
in numerical order. The clerk had to search the list until she
found two adjacent numbers in a column that were less than and
greater than the number of the card she was holding. Then she
could approve the sale. When she imprinted the credit card on the
credit card slip, she had to circle or mark the expiration date on
the slip to show that the expiration date had been checked. Any
clerk who failed to check the expiration date would be liable for
the entire purchase amount if the transaction had a problem. Revoked
cards were kept in the list for one month past their expiration.
Then they came out with the now-ubiquitous credit card validator
machines, that read the card and check it for revocation with the
issuer. It was the model for OCSP. I remember when OCSP was first
being devised, people scoffed that it was impractical because it
wouldn't scale. I always asked, "why not? It works for credit cards".
--
Nelson B
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
