Re: operational protocols

["Housley, Russ" <housley@spyrus.com>]

Stef:

I do not see how the CIL can be usefully used as a certificate extension.  
Please provide a more detailed explaination.

Also, the CIL provides proof that the Directory should have had the 
certificate available, but it cannot do anything to force the Directory to 
provde it to the user.

Russ


______________________________ Reply Separator _________________________________
Subject: operational protocols
Author:  Stef Hoeben <Stefan.Hoeben@esat.kuleuven.ac.be>
Date:    4/3/97 6:21 AM


Hello,

[some stuff deleted]

- A small remark about the security of LDAP: it is true 
that the messages don't need to be signed because the CA 
allready signed the certs ans CRL. BUT a nasty LDAPd could 
just answer on a request: 'I don't have that certificate 
or CRL' while he actually does have it. 
Perhaps a way to solve this is a CIL or Certficate Issue List 
(it's in a paper by Silvio Micali, you can find a copy at 
http://www.esat.kuleuven.ac.be/~hoeben/micali.ps). In that
list the CA just puts the serial numbers of the certs (eventually 
after removing some redundancy) and signs it. If there comes a 
request for a cert the CA didn't issue, the LDAPd just gives
the CIL to prove he hasn't got the cert.
I guess this CIL is allready possible in X.509 v3, with the 
aid of private extensions, isn't it?

   Greetings, Stef