[Cryptography] A PKI without CRLs or OCSP
Tony Arcieri
bascule at gmail.com
Wed Oct 26 12:42:40 EDT 2016
On Tue, Oct 25, 2016 at 9:48 PM, Francisco Corella <fcorella at pomcor.com>
wrote:
> [...] remarkable advantages. In particular, the verifier can validate
> a certificate chain on its local copy of the blochain
>
The disadvantage is every client needs a copy of the entire blockchain /
log. There's already a system in place that works much like a blockchain
for certificates: Certificate Transparency logs:
https://mikecborg.wordpress.com/2016/10/25/googles-ct-logs-and-purposes/
Unfortunately these logs have such high volume that nobody but Google can
presently operate one capable of handling Let's Encrypt, let alone trying
to push that volume of data out to every client so they have a local copy
of every certificate.
without any network access
>
What's the use case? I'll note with OCSP stapling a client can validate a
certificate chain with only network access to the destination service whose
certificate they're trying to validate. You seem to be talking about
verifying certificates in a context where you aren't even trying to
initiate an SSL/TLS connection?
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161026/c118ff26/attachment.html>
More information about the cryptography
mailing list