On 16/03/16 17:45, Stephen Kent wrote:
Rob,
<snip>
So we (where "we" may or may not be TRANS) need to fix revocation!
Revoking an intermediate _certificate_ just isn't sufficient.
To be effective, the intermediate _public key_ needs to be revoked
somehow.
One does not revoke keys in a PKI. One revokes certs.
Steve, I know very well how the existing IETF mechanisms for revocation
(i.e. CRL and OCSP) work. But I don't see why that should mean that new
revocation mechanisms can't be invented, especially if those new
mechanisms can thwart attacks that CRL and OCSP can't.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
