Date: Tue, 14 Oct 97 10:07:10 +0100
Message-Id: <20594.1782757773@x400.icl.co.uk>
From: "NC Battle" <nick.battle@x400.icl.co.uk>
To: Hemma.Prafullchandra@Eng
In-Reply-To: <libSDtMail.9710131449.19759.hemma@shorter>
Subject: RE(2): Revoking bad certificates?
Hemma,
> If a public CA is involved then the CRL from that CA would be
the means of notifying the clients systems of compromised keys.
The client systems would have to retrieve the CRL and insist on
a check of all certificates against appropriate CRLs.
So it's always the client's responsibility to get the latest CRL, or
more generally have a policy about how frequently they get the latest
CRL for certain certified applets.
Do you know what scheme the public CAs have (or have planned) to arrange
for the efficient distribution of CRLs?
I have no idea of the numbers, but if signed applet usage increases rapidly,
and revocation is taken seriously, then the means of distributing CRLs has
to be thought about carefully (eg. by local agents of the CA mirroring CRLs
to prevent requests building up at the CA site itself).
Do you know whether certificate revocation is expected to be treated as an
important part of the use of signed applets, or whether a revocation event
is expected to be a rare occurrance and therefore perhaps something many
users will forget about checking (ie. just place trust in the original
authentication that the CA used when issuing the certificate and trust the
owner to have guarded the private key appropriately)?
Thanks,
-nick