How many wrongs do you need to make a right?
Florian Weimer
fw at deneb.enyo.de
Wed Aug 17 09:24:17 EDT 2005
* Steven M. Bellovin:
> In message <87br3wdal7.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
>
>>
>>Can't you strip the certificates which have expired from the CRL? (I
>>know that with OpenPGP, you can't, but that's a different story.)
>>
>>OTOH, I wouldn't be concerned by the file size, although it's
>>certainly annoying. I would be really worried that the contents of
>>that CRL leaks sensitive information. At least from a privacy point
>>of view, this is a big, big problem, especially if you include some
>>indication which allows you to judge the validity of old signatures.
>>
>
> One can easily conceive of schemes that don't have such problems, such
> as simply publishing the hash of revoked certificates, or using a Bloom
> filter based on the hashes.
This doesn't completely eliminate the data leak, as a long as the
certificates were used in end-to-end communications. Analysis for
relative outsiders becomes harder, though.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list