Hi all,
If it is not too late... regarding Session 7.5 - first bullet point: the
text seems a bit too restrictive. Probably in the context of current Web
Browser CRLs are not used today, but other environments still make a
wide use of CRLs. I also would like to add a privacy consideration about
the use of CRLs vs. other mechanisms.
For this I would the text from:
Certificate Revocation Lists (CRLs) are not scalable and therefore
rarely used.
to something like the following:
Certificate Revocation Lists (CRLs) provide the most supported
revocationinformation distribution mechanism. Although updates to
the CRLformat (e.g., partitioned CRLs, delta CRLs) have been defined
toaddress scalability issues, they are rarely used in favor of more
compact formats. However, it is important to notice that the use of
CRLs might provide better privacy-preserving properties than other
protocols (e.g., OCSP), especially when considering the validation of
client-side certificate.
The last consideration stems from the fact that by using CRLs, a service
does not need to communicate to the certificate issuing authority (e.g.,
the CA or the entity running an OCSP server) and disclose the
certificate for which the revocation status is requested.
Cheers,
Max
On 11/13/14, 1:28 AM, Stephen Farrell wrote:
On 13/11/14 04:30, Leif Johansson wrote:
Your clarifications seem helpful to me, thanks!
I am content with all my other feedback being ignored, as it is less
important.
OK. But I for one will look at it more closely soon.
Since we are out of WGLC I would like to see at least some +1's from the
WG to make sure we're actually reflecting WG consensus here.
I'm fine with the changes suggested in Brian's last mail.
That said, I'm not confident I know the impact of the change
to 7.5 (the OCSP stuff) as I've not gone looking at code nor
thought about any ops issues that could arise, but it looks
reasonable for sure, so is probably ok unless someone yells.
S.
Cheers Leif
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
