![]() | This article is rated C-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | |||||||||||||||||||||||||||||||||||||
|
Matt, Actually, logically is not limited to mathematical relations. Rhetoric, one of the quadrivium (or was it trivium) was entirely, ahmm, rhetorical. Sorry about that. No I thought some about that phrasing and it should be retained as written, unless I got something conceptually wrong. I'm going back to look. ww 17:53, 17 Apr 2004 (UTC)
Given that the CRL is signed by the CA's key, the problem of "subversion" as noted at the bottom of the article is really a non-issue. This key is "by definition" secure in a hierarchical PKI. Why mention subversion then? Yaronf 19:39, Apr 17, 2004 (UTC)
Yaronf, Given that some PKIs have been built w/o CRLs at all we can't assume rational design thought in the real world. Second, a subversion of the CA might yield a private key and so a test passing (suberted) CRL. Secure (and security analysis) dare not stop with 'by definition' cases. The real world doesn't necessarily follow the definition. Consider the Trusted Third Party or secure channel articles here, I've recently been over them in part to make this point (or something similar).
Comments? (<-- best on my talk page, I've not watchlisted this article).
ww 19:49, 17 Apr 2004 (UTC)
ww 20:42, 17 Apr 2004 (UTC)
<<-- note that the above is a response to something else altogether, namely an invitation to Matt to discuss something off line made at another article all together. And thus we see a live example of losing the thread! ww 20:46, 17 Apr 2004 (UTC)
And now back to "subversion"... A well designed and well deployed PKI is very complex and very hard to subvert. It should employ:
Putting a Microsoft CA on your home PC is certainly not a "real" PKI.
So I wouldn't talk blithely about subversion.
If you do want to subvert a PKI, there are dozens of easier ways to do it. If you get hold of a CA's private key, you're more likely to forge certificates (and use them for communication attacks) then to forge a CRL. Similarly, if you can bribe a CA operator. If all you want is a massive DoS attack, DNS attacks or NTP spoofing is a better bet than playing with the CRL.
Yaronf 08:58, Apr 19, 2004 (UTC)
Im still not sure how and where CRLs are used.
I think the article needs more specific information to give a true understanding of how this is used.
Velle 12:11, 20 August 2006 (UTC)
What is a "PKI-enabled application" (term found in the article)? Im not sure, and if my guess is correct, this is a misleading word.
Velle 22:10, 20 August 2006 (UTC)
The article says, "No comprehensive solution to these problems is known, though there are multiple workarounds for various aspects of it, some of which have proven acceptable in practice," but no examples of workarounds or details are provided. Either a summary of workarounds should be provided or a source needs to be referenced. -- Sho222 15:05, 22 March 2007 (UTC)
The redirect from the Certificate Revocation List page mentions something about generalization - if noone is going to provide a specific example of a "Revocation List" outside of standard X.508/RFC 5280 CRLs, then the ambiguous title is pointless.
VESGroup ( talk) 05:13, 19 July 2016 (UTC)
The result of the move request was: moved per uncontested request below. also looking into the history of the target page, it was initially moved to the more generic term without the use of 'certificate' to make room for the inclusion of information regarding DRM, however that content isn't in the current article. Requested CSD#g6 to make room. ( non-admin closure) Tiggerjay ( talk) 19:09, 7 December 2016 (UTC)
Revocation list →
Certificate revocation list – This term is used both in this article and in others linking to it as "certificate revocation list", and that is the common name.
Mauls (
talk)
11:40, 30 November 2016 (UTC)
This article (and the corresponding Online Certificate Status Protocol article) could be improved by consideration of non-browser scenarios; including enterprise and Internet-of-things. I am hoping for improvements that could guide decision making, and provide pointers for common methods of solving the issues. I plan to help improve the CRL vs. OCSP comparisons, by including an explanation of the impact of different common scenarios (browser vs. IoT vs. enterprise). Also want to take into account implementation context for OCSP responders and CDP (CRL distribution point) implementations. — Preceding unsigned comment added by Trsm.mckay ( talk • contribs) 19:39, 10 October 2019 (UTC)
![]() | This article is rated C-class on Wikipedia's
content assessment scale. It is of interest to the following WikiProjects: | |||||||||||||||||||||||||||||||||||||
|
Matt, Actually, logically is not limited to mathematical relations. Rhetoric, one of the quadrivium (or was it trivium) was entirely, ahmm, rhetorical. Sorry about that. No I thought some about that phrasing and it should be retained as written, unless I got something conceptually wrong. I'm going back to look. ww 17:53, 17 Apr 2004 (UTC)
Given that the CRL is signed by the CA's key, the problem of "subversion" as noted at the bottom of the article is really a non-issue. This key is "by definition" secure in a hierarchical PKI. Why mention subversion then? Yaronf 19:39, Apr 17, 2004 (UTC)
Yaronf, Given that some PKIs have been built w/o CRLs at all we can't assume rational design thought in the real world. Second, a subversion of the CA might yield a private key and so a test passing (suberted) CRL. Secure (and security analysis) dare not stop with 'by definition' cases. The real world doesn't necessarily follow the definition. Consider the Trusted Third Party or secure channel articles here, I've recently been over them in part to make this point (or something similar).
Comments? (<-- best on my talk page, I've not watchlisted this article).
ww 19:49, 17 Apr 2004 (UTC)
ww 20:42, 17 Apr 2004 (UTC)
<<-- note that the above is a response to something else altogether, namely an invitation to Matt to discuss something off line made at another article all together. And thus we see a live example of losing the thread! ww 20:46, 17 Apr 2004 (UTC)
And now back to "subversion"... A well designed and well deployed PKI is very complex and very hard to subvert. It should employ:
Putting a Microsoft CA on your home PC is certainly not a "real" PKI.
So I wouldn't talk blithely about subversion.
If you do want to subvert a PKI, there are dozens of easier ways to do it. If you get hold of a CA's private key, you're more likely to forge certificates (and use them for communication attacks) then to forge a CRL. Similarly, if you can bribe a CA operator. If all you want is a massive DoS attack, DNS attacks or NTP spoofing is a better bet than playing with the CRL.
Yaronf 08:58, Apr 19, 2004 (UTC)
Im still not sure how and where CRLs are used.
I think the article needs more specific information to give a true understanding of how this is used.
Velle 12:11, 20 August 2006 (UTC)
What is a "PKI-enabled application" (term found in the article)? Im not sure, and if my guess is correct, this is a misleading word.
Velle 22:10, 20 August 2006 (UTC)
The article says, "No comprehensive solution to these problems is known, though there are multiple workarounds for various aspects of it, some of which have proven acceptable in practice," but no examples of workarounds or details are provided. Either a summary of workarounds should be provided or a source needs to be referenced. -- Sho222 15:05, 22 March 2007 (UTC)
The redirect from the Certificate Revocation List page mentions something about generalization - if noone is going to provide a specific example of a "Revocation List" outside of standard X.508/RFC 5280 CRLs, then the ambiguous title is pointless.
VESGroup ( talk) 05:13, 19 July 2016 (UTC)
The result of the move request was: moved per uncontested request below. also looking into the history of the target page, it was initially moved to the more generic term without the use of 'certificate' to make room for the inclusion of information regarding DRM, however that content isn't in the current article. Requested CSD#g6 to make room. ( non-admin closure) Tiggerjay ( talk) 19:09, 7 December 2016 (UTC)
Revocation list →
Certificate revocation list – This term is used both in this article and in others linking to it as "certificate revocation list", and that is the common name.
Mauls (
talk)
11:40, 30 November 2016 (UTC)
This article (and the corresponding Online Certificate Status Protocol article) could be improved by consideration of non-browser scenarios; including enterprise and Internet-of-things. I am hoping for improvements that could guide decision making, and provide pointers for common methods of solving the issues. I plan to help improve the CRL vs. OCSP comparisons, by including an explanation of the impact of different common scenarios (browser vs. IoT vs. enterprise). Also want to take into account implementation context for OCSP responders and CDP (CRL distribution point) implementations. — Preceding unsigned comment added by Trsm.mckay ( talk • contribs) 19:39, 10 October 2019 (UTC)