Re: Identifying revoked certificates

David Shaw <dshaw@akamai.com> Thu, 06 September 2001 20:00 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA07253 for <openpgp-archive@odin.ietf.org>; Thu, 6 Sep 2001 16:00:49 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id f86Jlbr13033 for ietf-openpgp-bks; Thu, 6 Sep 2001 12:47:37 -0700 (PDT)
Received: from claude.kendall.akamai.com (akafire.akamai.com [65.202.32.10]) by above.proper.com (8.11.6/8.11.3) with ESMTP id f86JlaD13029 for <ietf-openpgp@imc.org>; Thu, 6 Sep 2001 12:47:36 -0700 (PDT)
Received: (from dshaw@localhost) by claude.kendall.akamai.com (8.9.3/8.9.3) id PAA31464; Thu, 6 Sep 2001 15:46:24 -0400
Date: Thu, 6 Sep 2001 15:46:24 -0400
From: David Shaw <dshaw@akamai.com>
To: Jon Callas <jon@callas.org>
Cc: Michael Young <mwy-opgp97@the-youngs.org>, ietf-openpgp@imc.org
Subject: Re: Identifying revoked certificates
Message-ID: <20010906154624.C750@akamai.com>
Mail-Followup-To: Jon Callas <jon@callas.org>, Michael Young <mwy-opgp97@the-youngs.org>, ietf-openpgp@imc.org
References: <p05100309b7baf2e20a43@[192.168.1.180]> <010901c135ad$a7233000$fac32609@transarc.ibm.com> <p05100325b7bd794fd6a4@[192.168.1.180]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <p05100325b7bd794fd6a4@[192.168.1.180]>; from jon@callas.org on Thu, Sep 06, 2001 at 12:06:49PM -0700
X-PGP-Key: 2048R/3CB3B415/4D 96 83 18 2B AF BE 45 D0 07 C4 07 51 37 B3 18
X-URL: http://www.jabberwocky.com/
X-Phase-Of-Moon: The Moon is Waning Gibbous (88% of Full)
X-Pointless-Random-Number: 76
X-Silly-Header: It sure is.
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

On Thu, Sep 06, 2001 at 12:06:49PM -0700, Jon Callas wrote:
> 
> Are there any comments on Michael's suggestion?
> 
> Here's a sketch design:
> 
> A signature subpacket called "revocation target" that contains a 1-octet
> PKalg, a 1-octet hash algorithm, and then a hash body. It denotes that a
> revocation signature is intended to revoke the signature so specified.
> 
> Comments?

Is it worth adding the timestamp from the original signature to help
find it without having to look at the (larger) hashes?  On a uid with
many signatures, this could speed things up.  Once found, of course,
the hash could then be checked for confirmation.

David

-- 
David Shaw          |  Technical Lead
<dshaw@akamai.com>;  |  Enterprise Content Delivery
617-250-3028        |  Akamai Technologies