PKIs, if any, is no useful for authentication on consumable
        credential. The only merit of PK with CA over shared key with
        KDC is that no communication with CAs is necessary for every
        transaction. However, it means that there is no entity to check
        the amount of remaining credential. So, if an attacker has a
        certificate to be used for 1,000USD of transaction, the attacker
        can use the certificate for 1,000 second 1,000 times a second
        from 1,000 different locations, total damage of which is
        1,000,000,000,000USD for personal benifit of the attacker or for
        economical terrorism to ruin the world wide economy.

It should be noted that CRLs are, because of obvious operational issues, expected to be updated weekly or monthly and quite unlikely hourly, even in which case, CRLs can not prevent the attacks above mentioned.

Masataka Ohta

Reply via email to