How many wrongs do you need to make a right?
Florian Weimer
fw at deneb.enyo.de
Wed Aug 17 08:14:28 EDT 2005
* Peter Gutmann:
> http://www.networkworld.com/news/2005/081505-pki.html?nl
>
> [...]
> Along the way, the military also has revoked 10 million certificates as
> personnel and network needs change. That huge certificate revocation list
> (CRL) - which has bloated to over 50M bytes in file size - is the crux of the
> problem facing the Defense Department, because the entire CRL is supposed to
> be downloaded daily to every PKI user's desktop at the department from servers
> acting as distribution points.
>
> [...]
>
> Gosh, I wonder why no-one saw that coming.
Can't you strip the certificates which have expired from the CRL? (I
know that with OpenPGP, you can't, but that's a different story.)
OTOH, I wouldn't be concerned by the file size, although it's
certainly annoying. I would be really worried that the contents of
that CRL leaks sensitive information. At least from a privacy point
of view, this is a big, big problem, especially if you include some
indication which allows you to judge the validity of old signatures.
> (I guess they have to revoke all those certs that were issued in exchange for
> a few dollars and some weed :-).
8-)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list