Actually, the partitioned CRLS are still CRLs, and hopefully the next
X.509 spec will include them.
Phill
----- Original Message -----
From: Peter Gutmann <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, March 08, 2000 5:07 AM
Subject: RE: X.BlaBla in PGP??? BWAHAHAHAHAHA!!!!
> "Phillip Hallam-Baker" <[EMAIL PROTECTED]> writes:
>
> >I think you are probably refering to Ron's paper in FC'98. I presented an
> >alternative and somewhat radical architecture at RSA'99 which
demonstrated
> >that it was practical to distribute revocation info in real time for a
> >population of 5 billion certs.
>
> There are many good alternatives (actually pretty much everything is
better
> than CRL's, so it's difficult to come up with a bad alternative), but the
> problem they all have is that they're not CRL's. To paraphrase Bob
Jueneman
> "The market has spoken. The answer is CRL's, although noone can quite
remember
> what the question was". Given that it's going to be very difficult to
make any
> headway against this unless you've got a vertical-market application where
you
> can design things the way you want them, my approach has been to try to
turn
> CRL's into a silk purse through some form of reprocessing (a CRL -> OCSP
> gateway would be an example of this). That way, you can pretend to have
CRL's
> (giving the customer exactly what they asked for) while also having a
system
> which works. The warning from Padlipsky's "Elements of Networking Style"
is
> still appropriate here though for anyone trying to work around the problem
of
> CRL's: "The schoolmen couldn't find how many teeth a horse had in
Aristotle; a
> student suggested they look in some horses mouths. They expelled him".
>
> Peter.
>
>
