A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Certificate Manifest Register (Certificate Revocation List v4) Author(s) : Kyle Hamilton Filename : draft-hamilton-cmr-00.txt Pages : 6 Date : 2011-10-20 In the spirit of simple, incremental improvement, we describe a whitelist-based revocation mechanism called the "Certificate Manifest Register". This is a list of all potentially-valid certificates which are (as of the date of production) known to have been legitimately issued by the CA and how they are to be treated by the client. This permits certificates which are checked against it to be presumed invalid unless listed. Several recent events have cast doubt on the sufficiency of blacklist-based PKIX certificate revocation mechanisms. At least one publicly-trusted Certification Authority was recently found to have been penetrated by a state-backed attacker, which issued itself several certificates valid for a particular global web search and email provider and then removed the records that it had done so. In effect, the attacker was able to cause the CA to sleepwalk. There was nothing that the client software developers could do to protect their users and themselves except remove the trust in that CA's root. This event directly caused that particular CA's insolvency. The Certificate Revocation List format and definitions (X.509v2 as described in RFC 5280, its predecessors, and possibly its successors) are used and adapted whole-hog, with no data format changes and the alteration of one rule and one semantic to support whitelist-based processing. CMR is defined to use version integer 3 (v4) to differentiate its processing path from v2 CRL. The changes from the CRL Profile are so minor, though, that they potentially might be implemented without a version bump, without disruption to current v2 CRL consumers. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-hamilton-cmr-00.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ This Internet-Draft can be retrieved at: ftp://ftp.ietf.org/internet-drafts/draft-hamilton-cmr-00.txt _______________________________________________ I-D-Announce mailing list I-D-Announce@ietf.org https://www.ietf.org/mailman/listinfo/i-d-announce Internet-Draft directories: http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
