Steve -
Thanks for the clarification. I was assuming that a CA had to push all the CRLs
to all of its
users -- I guess I've gotten a little out of touch. However, based on some
conversations I
have had, I am not sure that all of the various actual and potential PCAs
understand the
responsibilities you have expressed, or are necessarily willing to sign up to
implement them.
Can you say a little more about how the actual implementation would work? How
will the
PCAs communicate their CRLs to each other? Will the IPRA actually operate a
database,
or is it primarily a paper registration authority?
How often are the PCAs required to post CRLs to each other and/or the IPRA? Or
do the PCAs
"pull" CRLs from other PCAs periodically, on request, or whenever the spirit
moves them?
I.e., what is the maximum latency time before a user could obtain a current CRL
from a "foreign"
PCA?
On the other hand, why does the IPRA require that CRLs be submitted no more
often than
once a week? If CRLs are iintended to limit liability or at least prevent
someone from
communicating with someone whose keys may have been compromised, shouldn't a CA
be
able to post an emergency CRL whenever the need arises?
Lastly, is the IPRA policy posted yet, and if so, what are the constraints as
to how often it can
be modified and when will it expire? Does it provide any constraints on how
often the PCAs
policy can be updated, etc.?