Charile,
Your concern about increased vulnerability for a CA's key is
one which I share and it is a good motivation for not requiring a CA
to provide an online CRL (or equivalent) issuance service. I agree
that one could establish conventions for using other keys to sign the
sort of messages that Bob Jueneman proposes for realtime validation of
the status of a certificate. However, this is only a partial measure
since if these on-demand CRL-like-substances form a basis of
non-repudiation then the key used to sign them is itself quite
valuable. Given the likely diverse set of requirements for frequency
of CRL issuance, I continue to support the current standard
requirements, which allow PCAs to individually determine frequency of
issuance and do not require realtime, per-certificate responses.
I recall an earlier discussion about the communications
efficiency of the current, PCA-centric system. Note that a single
request to any PCA can retrieve multiple CRLs, representing various
CAs and PCAs, which may very well be more efficient (in terms of
network bandwidth, packet count, etc.) than individual requests sent
to multiple CAs. Nonetheless, if PCAs and CAs wish to provide
additional services for their client populations, such as those
suggested, that is within the current standards, although
interoperability would benefit from specification of a common format
for requests and responses for this different sort of signbed object.
Such format standards could be ancillary to the base PEM standards, as
not all PEM users would need to avail themselves of such facilities,
and not all PCAs/CAs should be required to offer these facilities.
Steve