[18208] in cryptography@c2.net mail archive
Re: How many wrongs do you need to make a right?
daemon@ATHENA.MIT.EDU (Florian Weimer)
Wed Aug 17 08:28:54 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: Florian Weimer <fw@deneb.enyo.de>
To: pgut001@cs.auckland.ac.nz (Peter Gutmann)
Cc: cryptography@metzdowd.com
Date: Wed, 17 Aug 2005 14:14:28 +0200
In-Reply-To: <E1E5KpI-0004gK-00@medusa01.cs.auckland.ac.nz> (Peter Gutmann's
message of "Wed, 17 Aug 2005 22:07:16 +1200")
* Peter Gutmann:
> http://www.networkworld.com/news/2005/081505-pki.html?nl
>
> [...]
> Along the way, the military also has revoked 10 million certificates as
> personnel and network needs change. That huge certificate revocation list
> (CRL) - which has bloated to over 50M bytes in file size - is the crux of the
> problem facing the Defense Department, because the entire CRL is supposed to
> be downloaded daily to every PKI user's desktop at the department from servers
> acting as distribution points.
>
> [...]
>
> Gosh, I wonder why no-one saw that coming.
Can't you strip the certificates which have expired from the CRL? (I
know that with OpenPGP, you can't, but that's a different story.)
OTOH, I wouldn't be concerned by the file size, although it's
certainly annoying. I would be really worried that the contents of
that CRL leaks sensitive information. At least from a privacy point
of view, this is a big, big problem, especially if you include some
indication which allows you to judge the validity of old signatures.
> (I guess they have to revoke all those certs that were issued in exchange for
> a few dollars and some weed :-).
8-)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
