On Wed, 1 Oct 1997 16:22:11 -0400, dpkemp(_at_)missi(_dot_)ncsc(_dot_)mil
(David P. Kemp) wrote:
<snip>
Pat,
This is certainly not a major problem in the environments
with which I am most familiar. Certificate revokation (due to
invalidation of one of the pieces of information bound into
the certificate) is far more common than key revokation (due to
loss or compromise of the key). The former occurs when jobs,
mailboxes, roles, or sometimes even authorizations change. This
happens at a much higher rate than key loss.
Key revocation due to compromise is far less common that normal
periodic key expiration in some environments. Those of us who
are paranoid about security :-) change keys *more* often than
we change names/jobs/email-addresses/whatever.
You're quite right, of course. However, I guess one of
my unstated assumptions was that this would not be something
that we would use a revokation mechanism for. Normal cert
expiration dates are usually used to reflect planned rekeying.
Chris
---------------------------------------------------------------
| International Electronic Communication Analysts, Inc. |
| Christopher D. Bonatti 9010 Edgepark Road |
| Vice-president Vienna, Virginia 22182 |
| bonattic(_at_)ieca(_dot_)com Tel: 301-212-9428 Fax: 703-506-8377 |
| PGP public key available from "http://www.ieca.com/"; |
---------------------------------------------------------------