How many wrongs do you need to make a right?
Adam Back
adam at cypherspace.org
Wed Aug 17 09:51:52 EDT 2005
Not to defend PKI, but what about delta-CRLs?
Maybe not available at time of the Navy deployment? But certainly
meaning that people can download just changes since last update.
Steven writes:
> [alternatives] such as simply publishing the hash of revoked
> certificates,
Well presumably you mean a Merkle hash tree or something? (A single
hash of all the revoked certs doesn't help you as you don't know which
are revoked and so have insufficient data to go into the hash function
verify if a given cert is on the list.)
Adam
On Wed, Aug 17, 2005 at 08:40:19AM -0400, Steven M. Bellovin wrote:
> In message <87br3wdal7.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
>
> >
> >Can't you strip the certificates which have expired from the CRL? (I
> >know that with OpenPGP, you can't, but that's a different story.)
> >
> >OTOH, I wouldn't be concerned by the file size, although it's
> >certainly annoying. I would be really worried that the contents of
> >that CRL leaks sensitive information. At least from a privacy point
> >of view, this is a big, big problem, especially if you include some
> >indication which allows you to judge the validity of old signatures.
> >
>
> One can easily conceive of schemes that don't have such problems, such
> as simply publishing the hash of revoked certificates, or using a Bloom
> filter based on the hashes.
>
> Of course, that doesn't mean that was how it was done...
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list