Rqmts doc readers will note some discussion about delta CRLs, provided by Oscar or Jesus at some point, and some remarks in the end notes about combining some of the delta CRLs. I have no practical experience using delta CRLs - Oscar & Jesus perhaps, or maybe others outside of Grids, should speak up with real experience. Our (DOEGrids) customers haven't been able to use delta CRLs, altho our CA product can produce them. I don't believe openssl can currently support delta CRLs directly, at least current documentation disclaims this, altho don't know what problems result. (Perhaps openssl just treats them as another CRL in the same CA's series without understanding how to integrate them, or perhaps some attribute will trigger evaluation failure - don't know.) Reviewing the discussion in RFC 3280 5.2.4, it appears that delta crls contain their own thisupdate/nextupdate attributes. True? Applications are supposed to be able to combine the base CRL & deltas to produce a new effective CRL (that's how I read the RFC). Could we use this to reduce the size of the "cautionary period"? eg base delta delta delta delta delta base crl 1 2 3 4 5 crl t0 ... t1 ... t2 ... t3 ... t4 ... t5 ... t6 This would be useless to most or all current Grid customers, but it could be used by a conforming OCSP responder, which could also report the shorter update expectations to the relying party. I think we may have the components to test this in the ESnet-DOEGrids test OCSP responder. I believe one of the other co-authors runs a CA service that could produce delta CRLs, too. I don't know if there are many CAs with that capability - I think I know of another European one, and perhaps one in Asia. If I am reading the RFC right and current products seem to support this, we should recommend this "system configuration" to improve the quality of revocation info in Grids. This is a real improvement over the current state of affairs and will meet the needs of security officers much better, in my opinion. Of course, we'll have to get their reading on it. It also seems relatively forgiving, in that a variety of delta production schedules including "none" can be supported. Thanks, ==mwh