=> Which indeed does not reliev the necessity to somehow
=> propagate lists of stolen keys. But we all know that the CRL approach
=> is very weak -- there is no way to be sure one has got the last, up to
=> date, CRL...
=>
=> Well, yes, we never know if the CRL we have is absolutely the most
=> current one due to the possibility of emergency CRL issuance, but I
=> think experience will show that reliance on the next scheduled issue
=> date will suffice for most applications, and for very stringent
=> non-repudiation applications you need to wait for the CRL that is
=> issued after the "transaction" anyway.
Steve,
Looks like the only way to solve the "very stringent requirement" that you
mention is to either wait a couple of [months, weeks, days, hours] or to have
an "online" exchange with the CA... Do we envisage to deploy that? I was under
the impression that real safe CAs were off line for security reasons!
Christian Huitema