Re: PKI and Relying Parties

From: Anne & Lynn Wheeler (lynn@garlic.com)
Date: 03/28/02


From: Anne & Lynn Wheeler <lynn@garlic.com>
Date: Thu, 28 Mar 2002 13:34:10 GMT

Harold Hammond <HammondITS@netscape.net> writes:

> This isn't about access control or about the reliability of a PKI. The simple
> question is how can one get access to up-to-date CRLs without becoming a CA.
>
> I want to be able to check Certificate Revocation Lists for digital certificates
> being presented at my website. I do not want to be a CA. I do not want anyone
> to be a CA on my behalf.

another way of doing it is use an enhanced RADIUS with your website
that supports digital signature in place of password or
challenge/response (aka the webserver authentication hook implements
radius ... and then radius specifies password, challenge/response or
digital signature on an account by account basis).

RADIUS repository supplies both the authentication material
(registering password, public key, etc) and the current/accrurate
authorization information.

There is some claim that CRLs are the equivalent of the 1960s revoked
account lists distributed in monthly paper booklets in the credit card
industry. This was an offline technology implementation. Offline
technology approaches (like CRLs) became obsolete when moving from an
offline paradigm to an online paradigm starting sometime in the '70s.

You don't become a CA or support CRLs ... you just have registeration
of those that you accept and their authentication material (whether
password, digital signature, challenge/response, etc).

misc. RADIUS related discussions
http://www.garlic.com/~lynn/subtopic.html#radius

for addition radius references go to
http://www.garlic.com/~lynn/rfcietff.htm

and click on "Term (term->RFC#)"

in the "Acronym Fastpath" section, click on "RADIUS"

i.e.

remote authentication dial in user service (RADIUS )
      see also authentication , network access server , network services
      3162 2882 2869 2868 2867 2866 2865 2809 2621 2620 2619 2618 2548
      2139 2138 2059 2058

clicking on any RFC nuumber will give you a summary of that RFC.
Clicking on the "(.txt=nnnnn)" field (in a RFC summary) will retrieve the
actual RFC.

also of possible interest are the RFCs of the AAA working group:
Authentication, Authorization and Accounting
      see also accounting , authentication , authorization
      3127 2989 2977 2906 2905 2904 2903

-- 
Anne & Lynn Wheeler   | lynn@garlic.com, http://www.garlic.com/~lynn/