[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OCSP and CSL

To: Mike Young <myoung@xxxxxxxxx>
Subject: Re: OCSP and CSL
From: Antonio Lioy <lioy@xxxxxxxxx>
Date: Fri, 28 Jan 2000 19:20:19 +0100
Cc: ietf-pkix@xxxxxxx
Organization: Politecnico di Torino
References: <001a01bf68fa$d6378a20$9194afc7@x509.com>

Mike Young wrote:
> 
> >First of all OCSP is out of question is it is not a trust
> >source but rather a delivery channel for fast trust
> >information. For non-repudiation service, it needs to be
> >backed up by long-term data such as those of a CRL.
> 
> Please elaborate

Done in another mail.

> >Finally, I'd like to give my users the autonomous ability to
> >suspend and then re-activate their certificates. Let's
> >imagine the following scenario:
> >- I don't want to take my smart-card with me and I leave it
> >at the office (or I use a software PSE installed on my PC at
> >work)
> >- as I don't trust the company in charge of cleaning up the
> >office (or may be my co-workers), I'd like to suspend the
> >cert validity during week-ends, vacation, or even during
> >night hours
> >- I'd like to do this by just clicking on a button on a
> >secure Web page (with client authentication) or sending a
> >signed S/MIME message to an automatic responder
> >- the responder (or the Web server) could in turn provide me
> >with a one-time token to re-activate the cert at my will
>
> You can do that with OCSP, xcert has a vacation program.

Great! but for legal use you need to put that in a long term
archive.

> So every time a cert is Suspended, you want to add that to the CSL? and I
> assume you want this file issued frequently and signed by the CA? What if
> you have a CA with several million certs, the managment of a CSL will be a
> nightmare.
> The only way to create a scalable PKI that can last 10-15 years is with
> OCSP. CRL/CSLs are so 1980's :^)

May be CRL/CSL are so 80's, but OCSP is at most 90's  :-)
not 2000, in the sense that it is complete deregulation. But
how can I use OCSP to ask if a cert was valid 2 years ago?
in the request there is no way to specify the time for which
the check should be performed, so if I don't continuously
ask to the OCSP server the status of all certs (building my
personal CRL :-) I will never be able to prove revokation
status in the future.
OCSP is very much oriented to on-line short-lived
transactions, while CRL/CSL are more useful in an off-line
legal long-lived environment.

Best regards,

Antonio Lioy

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Prev by Date: RE: OCSP and CSL
Next by Date: Re: More on OCSP and CSL
Previous by thread: RE: OCSP and CSL
Next by thread: RE: OCSP and CSL
Index(es):
- Date
- Thread