Sender: pem-dev-relay(_at_)TIS(_dot_)COM
From: burt(_at_)RSA(_dot_)COM (Burt Kaliski)
To: pem-dev(_at_)TIS(_dot_)COM
Date: Fri, 26 Jun 92 17:11:19 PDT
Subject: Signed CRL-retrieval requests
> RFC [FORMS] defines syntax for key certification,
> certificate-revocation list (CRL) storage, and CRL retrieval.
> The CRL-retrieval syntax as currently proposed consists of CRL issuer
> names and has no privacy enhancement.
> What do you think of changing the syntax to be a signed
> privacy-enhanced message whose content consists of the CRL issuer
> names? (The content would also need a nonce to prevent replay.)
> Or, such a form could be an alternative to the current proposed
> syntax. The benefit of signing the request is that service providers
> can determine who is requesting the service, and thereby control
> access to the service. For instance, a service provider might give
> free access to CRLs to everyone in the Internet, but require people in
> other networks to pay a fee.
> Should this be an RFC [FORMS] requirement, an option, or outside the
> scope of RFC [FORMS]?
> -- Burt
Burt,
We have dicussed a number of mechanisms for CRL distribution including
anonymous ftp and even a news feed scenario. I question the necessity
of authenticating a requestor under these circumstances. Further,
as an issuer I believe it is in my best interest to have my CRL as
widely disseminated as possible. Charging a fee would probably be
contrary to this interest. I have no objection to adding the
signature as an option but it could be detrimental to make it a
requirement. Can you envision other scenarios where it might
be advantageous to include the signature?
Paul Clark
Trusted Information Systems, Inc.
3060 Washington Road
Glenwood, MD 21738