RE: X.BlaBla in PGP??? BWAHAHAHAHAHA!!!!
"Phillip Hallam-Baker" [EMAIL PROTECTED] writes: I think you are probably refering to Ron's paper in FC'98. I presented an alternative and somewhat radical architecture at RSA'99 which demonstrated that it was practical to distribute revocation info in real time for a population of 5 billion certs. There are many good alternatives (actually pretty much everything is better than CRL's, so it's difficult to come up with a bad alternative), but the problem they all have is that they're not CRL's. To paraphrase Bob Jueneman "The market has spoken. The answer is CRL's, although noone can quite remember what the question was". Given that it's going to be very difficult to make any headway against this unless you've got a vertical-market application where you can design things the way you want them, my approach has been to try to turn CRL's into a silk purse through some form of reprocessing (a CRL - OCSP gateway would be an example of this). That way, you can pretend to have CRL's (giving the customer exactly what they asked for) while also having a system which works. The warning from Padlipsky's "Elements of Networking Style" is still appropriate here though for anyone trying to work around the problem of CRL's: "The schoolmen couldn't find how many teeth a horse had in Aristotle; a student suggested they look in some horses mouths. They expelled him". Peter.
RE: X.BlaBla in PGP??? BWAHAHAHAHAHA!!!!
Technically speaking it's not really supported by X.509 either because CRL's don't really work (see for example the FC'99 proceedings for more details on this, along with suggestions on how to fix it). I think you are probably refering to Ron's paper in FC'98. I presented an alternative and somewhat radical architecture at RSA'99 which demonstrated that it was practical to distribute revocation info in real time for a population of 5 billion certs. There is also the IETF work by Mike Myers and myself on OCSP and OCSP-X respectively. This isn't a problem with Outlook or MS (for once :-) but a problem with the whole CRL concept. Agreed, I see CRLs as a draft architecture that was good enough for circa 1990 but not so hot come deployment a decade later. But it is quite possible to provide a workable solution in context. An option which I like (because it's efficient and fast) is to have a BIND-style daemon which snarfs CRL's from wherever[0] every now and then and answers validity check queries very quickly (millisecond response time, so the user won't even notice it's happened). I hope to have a paper on this out RSN. I will send you the paper I wrote for RSA '99. I describe precisely that type of architecture. The argument I make is that we should migrate to that type of architecture in the long term. OCSP provides a very usefull staging ground. Phill smime.p7s
