[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: request for WG to adopt draft-chadwick-webdav-00.txt as a work item

To: David Chadwick <d.w.chadwick@xxxxxxxxxx>
Subject: Re: request for WG to adopt draft-chadwick-webdav-00.txt as a work item
From: Stephen Kent <kent@xxxxxxx>
Date: Tue, 11 Sep 2007 11:10:01 -0400
Cc: "ietf-pkix@xxxxxxx" <ietf-pkix@xxxxxxx>
In-reply-to: <46E6678A.2030307@xxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <OF3876B698.C80CC9A9-ONC125734F.002F7456@xxxxxxxxxxxx> <46E1B0B7.3080003@xxxxxxxxxx> <> <46E6678A.2030307@xxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


At 11:01 AM +0100 9/11/07, David Chadwick wrote:

Hi Steve
As you know nearly everything in security is a tradeoff in one wayor another. What the webdav scheme gives you is instant revocationstatus, which CRLs do not give you, but the tradeoff is having totrust the repository. So the schemes are fundamentally different,but I submit that there are many user requirements where thetradeoff of instant revocation is preferable to the morecryptographically protected though stale CRL scheme.
regards

David

The phrase "instant revocation status" is, I fear, a misnomer. InOCSP an RP can make a query about a single cert and get a responsethat applies to just that cert, but that says nothing about therelative freshness of the revocation status data vs. what a CRLtells us. The same is potentially true here.

Also, if one argues that a CA will manage a repository under theWebDAV approach to offer fresher revocation status data than a CRL,the same argument could be made for the CA managing an OCSP server,right? In the case of OCSP, one need not trust a repository, butrather trust an OCSP server. Is there a difference? Maybe, maybenot. It will depend on what forms of authentication one requires forWebDAV access, e.g., if you mandated use of TLS and required that theTLS server cert be issued under the CA in question, then maybe thesecurity would be equivalent to what we have with an OCSP server (notlightweight) with a server cert issued under the CA.

In general I think that instant revocation is over emphasized. Inmany (most?) contexts the decision to revoke a cert is a serious one,and thus people generally do not act very quickly. In fact, this is abig part of why the financial community insisted on cert hold statusas a half-way revocation mechanism. Thus the speed with which arevocation decision is reflected in a database (OCSP, CRL, or WebDAV)is probably the fastest link in the process chain.


Steve

References:
- Re: request for WG to adopt draft-chadwick-webdav-00.txt as a work item
  - From: Denis Pinkas
- Re: request for WG to adopt draft-chadwick-webdav-00.txt as a work item
  - From: David Chadwick
- Re: request for WG to adopt draft-chadwick-webdav-00.txt as a work item
  - From: Stephen Kent
- Re: request for WG to adopt draft-chadwick-webdav-00.txt as a work item
  - From: David Chadwick

Prev by Date: Re: Requirements for SCVP over HTTP
Next by Date: Re: Matching rule review comment on 3280bis
Previous by thread: Re: request for WG to adopt draft-chadwick-webdav-00.txt as a work item
Next by thread: Re: request for WG to adopt draft-chadwick-webdav-00.txt as a work item
Index(es):
- Date
- Thread