Peter Kirstein of Univ Coll London is, as you know, working for the
British MOD on developing a prototype PEM version that is interoperable
with our version. He wants a copy of the interface specs, which he
would prefer electronically, as soon as possible. Do we have an
interface spec. other than just the RFC (which, presumably, he already
has)? Would you please follow through on this?
He also expressed an opinion that the PEM certificates could (he
didn't say "must") be distributed through an X.500 directory structure.
He suggested that certificate revocation in most applications can be
handled daily (e.g., in the early morning), with processes running from
a cache during the most of the days. In only a few cases is revocation
so time critical that the would be needed more often than once in 24
hours and, if you had such an application, you could refresh the
validity of your cached certificates as often as you liked. I knew just
enough to know it would be dangerous for me to reply immediately to
this, so I nodded politely but noncommitally. I had heard from
somewhere else that he had a fundamental disagreement over the
authorizing or vouching for the validity of an identity claimed via a
certificate; I did not detect that disagreement. I think his issue was
more once a certificate is authenticated however, how is it to be
disseminated? Am I misunderstanding a thread?
--Chuck
p.s. Peter expects to be in DC on 8 December. He may call and try to
come by.