John:
The performance problem you refer to has also been addressed in the latest
X.509
Amendment on the v3 standard extensions. New matching rules are defined for
certificate and for CRL which allow only specific values (typically one) to be
returned from a read of the multivalued X.500 attribute. Certificates can be
selected on the basis of date/time, algorithm, key usage purpose, subject name
form, policy, and key identifier. CRLs can be selected on the basis of CRL
sequence number, date/time, and revocation reasons covered. CRLs can now be
partitioned to cover distinct subcommunities of the subject population of a CA,
and can also be partitioned on the basis of different revocation reasons (e.g.,
one CRL for compromises only).
If preferred, X.509 certificates can be distributed via other types of
directory/database as MITRE describe. What is most important is
standardization
of the certificate format, so that common CAs can support multiple applications.
Warwick