Bob,
PEM is for more than commercial applications, so I see no reason to
change the 30-day upper bound value in the base requirements. As I
noted, PCAs are free to establish shorter, required CRL issuance
intervals and should do so where commercial interests demand it. Most
of your other points fall into the same category, i.e., they are not
baseline requirements but PCA-specific.
You also addressed the issue of CA vs. PCA CRL responsibilities. While
I agree that a user is likely to be "closer" to his CA than to the PCA
that certified the CA, I don't think this is a critical aspect in
discussing which of the two provide CRL access. In a commercial
environment I expect your CA will have a contractual relationship with
the PCA and that should suffice to ensure that the PCA lives up to its
CRL management responsibilities (as described in the PCA policy
statement). If the CRL were stored in the X.500 directory system, a
user might access it via a request to his local DSA, which could chain
the request to the DSA where the CRL is stored. It is likely that
neither of theses DSAs would be operated by the CAs in question.
As for what is required to provide non-repudiation, I am working
on a short paper on that topic. There are a number of subtle aspects of
this service. That the dates in CRLs should be accurate is obvious, and
I think goes without saying. A PCA policy might specify what it would
do if it found that a CA was not doing a responsible job in this
respect, and define just what level of accuracy is required.
Yes, involving the PCA and or CA in real-time, signed exchanges
for CRL retrieval would address some of the concerns you raise, but I
think that has terrible implications for security and performance at CAs
and PCAs.
Steve