How many wrongs do you need to make a right?

[Peter Gutmann]

In the 1950s we had cheque blacklists, which were used in an attempt to manage
bad cheques.

  They didn't work well, and were abandoned as soon as better mechanisms
  became available.

In the 1960s and 70s we had credit card blacklists, which were used in an
attempt to manage bad credit cards.

  They didn't work well, and were abandoned as soon as better mechanisms
  became available.

In the 1980s, the fine folks who gave us OSI also brought us CRLs in an
attempt to manage bad certs.

  They didn't work well, but twenty years later the X.509 folks are still
  hanging in there in the hope that one day they'll spontaneously start
  working.

http://www.networkworld.com/news/2005/081505-pki.html?nl

[...]

In the eight years since the U.S. Department of Defense started using the PKI
certificate management system it bought from Netscape Communications, it has
issued more than 16 million digital certificates. Most of them are stored on
the department's common access smartcard, which is the main ID card used by
the Army, Navy, Air Force and Marines.

Along the way, the military also has revoked 10 million certificates as
personnel and network needs change. That huge certificate revocation list
(CRL) - which has bloated to over 50M bytes in file size - is the crux of the
problem facing the Defense Department, because the entire CRL is supposed to
be downloaded daily to every PKI user's desktop at the department from servers
acting as distribution points.

[...]

Gosh, I wonder why no-one saw that coming.

(I guess they have to revoke all those certs that were issued in exchange for
a few dollars and some weed :-).

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com