[18212] in cryptography@c2.net mail archive
Re: How many wrongs do you need to make a right?
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Wed Aug 17 09:21:39 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: pgut001@cs.auckland.ac.nz (Peter Gutmann),
cryptography@metzdowd.com
In-Reply-To: Your message of "Wed, 17 Aug 2005 14:14:28 +0200."
<87br3wdal7.fsf@mid.deneb.enyo.de>
Date: Wed, 17 Aug 2005 08:40:19 -0400
In message <87br3wdal7.fsf@mid.deneb.enyo.de>, Florian Weimer writes:
>
>Can't you strip the certificates which have expired from the CRL? (I
>know that with OpenPGP, you can't, but that's a different story.)
>
>OTOH, I wouldn't be concerned by the file size, although it's
>certainly annoying. I would be really worried that the contents of
>that CRL leaks sensitive information. At least from a privacy point
>of view, this is a big, big problem, especially if you include some
>indication which allows you to judge the validity of old signatures.
>
One can easily conceive of schemes that don't have such problems, such
as simply publishing the hash of revoked certificates, or using a Bloom
filter based on the hashes.
Of course, that doesn't mean that was how it was done...
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
