RFC [FORMS] defines syntax for key certification,
certificate-revocation list (CRL) storage, and CRL retrieval.
The CRL-retrieval syntax as currently proposed consists of CRL issuer
names and has no privacy enhancement.
What do you think of changing the syntax to be a signed
privacy-enhanced message whose content consists of the CRL issuer
names? (The content would also need a nonce to prevent replay.)
Or, such a form could be an alternative to the current proposed
syntax. The benefit of signing the request is that service providers
can determine who is requesting the service, and thereby control
access to the service. For instance, a service provider might give
free access to CRLs to everyone in the Internet, but require people in
other networks to pay a fee.
Should this be an RFC [FORMS] requirement, an option, or outside the
scope of RFC [FORMS]?
-- Burt