> > 1) short lived certs > > 2) CRL's published at regular intervals. > > > > both involve a regularly-signed short-lived objects. > > Errr - OCSP? last year we implemented a system that used DNS (with security extensions) to distribute ceritificate validity information (among other things). it was a closed system with couple of central servers (primary DNS server and several secondary servers) running BIND 9 with signed zone files. other servers (basically specialized firewalls) were running BIND 9 as caching nameservers that were configured to accept only signed responses. each valid certificate had a TXT entry in a zone file. the name of the entry was base64 encoding of the SHA1 hash of the certificate. when someone wanted to check the validity of some certificate they did a DNS lookup and checked if the entry existed. this way we had all the nice (and proven) capabilities of the DNS system (redundancy and caching) without too much trouble. and it was quite easy to use at the application level. arne