2. I wonder, if you don't trust some CA to send you CURRENTLY > >>
VALID certificates in the path of your partner, how can > >> you trust
the same CA to send you the CRL, when both > >> messages are THE SAME
TYPE of the PEM letter (MIC-ONLY).
Please note that CRLs are signed objects and are validated by the
user. > Also, I don't have to ask the CA for certificates, they are
signed > objects. They can be supplied to me from anyone, including the
originator > and I can validate them at my leisure with no direct
interaction with > the originator's CA at all !
Steve just indicated that, for non-repudiation, the CRL's must be
obtained after the receipt of the message. Doesn't the above statement
violate non- repudiation? I seems to me that I must have "direct
interaction" not only with the originator's CA, but EVERY CA, PCA, etc.
throughout the entire hierarchy after the receipt of every single
message for which non-repudiation is desired.
(As an aside, I think the term user should be avoided in favor of
originator or recipient.)
Tom Jones - ViaCrypt div. of Lemcom Sys