CDR: Re: Public Key Infrastructure: An Artifact...

[Lynn.Wheeler at firstdata.com]

problem is that consumer don't normally  know that they want to check on a
particular merchant's CRL entry until they realize that they want to go to that
merchant site. in general, the consumer's aren't going to want  keep a local
(usenet) database of all CRL entries (however they are distributed) ... so it is
more likely the ISP would have to keep all the entries ... pushed into a
database ... and let the consumer do an online database lookup of the CRL
entries (effectively the local ISP is keeping cached copy of all entries ... and
uses usenet as the distribution infrastructure).

sometimes, usenet can take several hrs to a day to propogate ... so the person
may still want to do an online transaction against the agency that issued a
certificate

In which case, the local ISP would be considered a "stand-in" ... maintaining a
negative file ... and returning positive answers if there isn't a match in the
negative file for the online transaction ... in which case the consumer may
still want to do another online transactions against the master file (located
somewhere in the internet).

Given that online transactions are being performed ... then it may even be more
straightforward to use domain name infrastructure to manage distribution and
management of cached entries. It has a somewhat better online transaction
semantics than usenet (already). However, since this is turning into  online
transaction infrastructure  ... it is then possible to eliminate both the
certificates and CRLs totally and just use the straight-foward domain name
infrastructure.

back again to certificates typically being superfulous and redundant in an
online infrastructure.






"Arnold G. Reinhold" <reinhold at world.std.com> on 11/27/2000 07:53:35 AM

Please respond to "Arnold G. Reinhold" <reinhold at world.std.com>