I saw something go by the other day that I thought I must have misunderstood,
but I recently read Steve Kent's CACM article re PEM and saw the same statement
regarding the responsibility of the IPRA and the PCAs:
"There is also a requirement that each PCA provide robust access (for its users)
to a global CRL database. This database is coordinated among the IPRA and
the PCAs, and it will contain CRLs issued by the IPRA, all PCAs, and all CAs."
Is this true? And if so, why is it a requirement? In particular, I thought we
were NOT
assuming cross-certification across PCAs. In that case, why would cross-PCA
CRL's even matter?
For example, if I am a user or subscriber under the RSA Commercial Hierarchy,
why
should I care whether a given user in some other PCA's hierarchy has been
revoked or not, since I probably won't correspond with that person or accept
any messages from outside of my PCA's hierarchy in any case?
As I recall, if I operate a CA, I am duty bound to provide all of the CRLs I
receive
from my PCA to all of the user's I have certified. Someone correct me if this
is not
the case, but if it is true, then I don't want to be bothered with information
outside
of the policy hierarchy I have subscribed to. I'm sure that all the Internet
user's
in Riga, Latvia, are nice people, but I really don't care whether they have
changed jobs
recently or not. In fact, since everyone is taking the position that digital
signatures
should not be used for signing messages of financial value without a paper
agreement
to back them up, I don't even care if that user's key has been compromised -- I
can't
buy or sell anything with this mechanism, I don't care whether he is speaking
for his
organization, and I'm not going to send him an encrypted message in any case.
If a particular CA wishes to be certified under two PCAs, e.g., under the RSA
Commercial
Hierarchy for commercial transactions, and under the TIS medium-security
hierarchy for
casual e-mail, then the CA should be responsible for providing access for its
users to both
PCAs CRL lists. But I still don't see the need for all PCAs to maintain a
database of all
of the CRLs in the world, especially since I am going to ask my PCA to maintain
an archive
of all the CRLs ever issued by CAs under its hierarchy, essentially forever.
If the Internet has the funds to operate such a global database, that's fine,
but please
don't require all of the PCAs, and probably the CAs in turn, to implement a
"push" type
of distribution mechanism for CRLs in that case. Let the users who need to
validate a
certificate go to the IPRL for the information using a "pull" model as required.
Apologies in advance if this issue has been debated extensively and I missed it
--
I haven't had the time to read PEM-DEV as thoroughly as I used to.