Re: draft-ietf-pkix-scvp-32.txt

[Dave Engberg <dengberg@xxxxxxxxxxxxxxxxxx>]

I disagree.

SCVP is a protocol that can make complex PKIs work.  The big problem with a federated PKI using bridged and cross-certified CAs is that it forces the relying party to do too much work in crawling the CA network and checking the revocation of every link.  This has an unacceptable risk of failure unless every server and service in the network is 100% reliable and available.  SCVP moves the path discovery and validation to a server which can be configured to do much more intelligent caching, pre-fetching, etc.  SCVP in DPD mode is perfect for this.  As new CAs join the bridged network, they will "automatically" be usable by the server and clients without having to add yet another hard-coded root CA into a massive trust list.


Anders Rundgren wrote:

Although probably not NIST's intentions with SCVP, I would not be surprised if SCVP long-term will put the final nail in the Bridge CA coffin.

Off-loaded validation is a MUCH better concept since it is fully dynamic, allows arbitrary granularity down to individual EE certificates, and most of all does not rely on a centrally funded/trusted "über-CA".  In fact, a successful rollout of SCVP will probably eliminate most other uses of cross-certification as well.

Anders