Dear Paul --
Thanks for your comments on the proposed RFC [FORMS] changes.
I have no objection to adding the
signature as an option but it could be detrimental to make it a
requirement. Can you envision other scenarios where it might
be advantageous to include the signature?
I agree with you that requiring a signature is detrimental. It's a
useful option, though. Someone has to pay the CRL service provider,
either the CRL issuers or the ones requesting the CRLs. If the
requestors are charged, but not the issuers, then the service provider
needs to make sure a request comes from someone who has paid. For
instance, the service provider might check that the requestor has a
certificate in the service provider's certification hierarchy.
As Jeff Schiller observes, it probably makes the most sense to leave
privacy enhancement of CRL-retrieval requests to the service provider.
RFC [FORMS] will define the request syntax, and note that the request
may be encapsulated in a privacy-enhanced message, as specified by the
service provider.
--> Final question (mostly to PEM working group members): Should I
submit RFC [FORMS] as an Internet-Draft with these changes for
consideration at the July IETF meeting?
-- Burt