I thot discussion might have been pkix &/or x9f related .. as an easier step then starting to search my own archives ... i've done a quicky web search engine ...
one entry in pkix thread http://www.imc.org/ietf-pkix/old-archive-01/msg01776.html here is recent m'soft article mentioning the subject: http://www.microsoft.com/technet/itsolutions/wssra/raguide/CertificateServices/CrtSevcBP_2.mspx http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx i also believe that it showed up in x9f5 work on PKI CPS ... but i would have to check my archives ... however here is pointer to a verisign cps ... that search engine claims contains words on revoking CA (ra, etc): http://www4.ncsu.edu/~baumerdl/Verisign.Certification.Practice.Word.doc another verisign related reference: http://www.verisign.com/repository/cis/CIS_VTN_CP_Supplement.pdf also, i remember OCSP coming on the scene sometime after I had been going for awhile about how CRLs were 1960s technology (and least in the payment card business) .... before payment card moved into the modern online world with online authentication & authorization (moving away from having to manage credentials/certificates that had been designed for an offline paradigm). one might assert that OCSP is a rube-golberg solution trying to preserve some facade of the usefulness of certificates (designed to solve real-world offline paradigm issues) in an online world (somehow avoiding having to make a transition to straight online paradigm and preserving the appearance that stale, static redundant and superfluous certificates serve some useful purpose). -- Anne & Lynn Wheeler | http://www.garlic.com/~lynn/ _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security