[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: German Law and OCSP

To: "'Andreas Berger'" <aberger@xxxxxxxxxxxxxxxx>
Subject: RE: German Law and OCSP
From: Ambarish Malpani <ambarish@xxxxxxxxxxxx>
Date: Thu, 3 Feb 2000 11:05:17 -0800
Cc: "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>

Hi Andreas,
    Does it really make sense calling this OCSP any more? You will
most probably not work with most of the servers/clients.

    Also, you do have the requirement that the client verifies the
public key hash that it receives in the response...

    There are ways of profiling the spec that work within the
parameters defined by OCSP. In other ways, you break the design
of the basic protocol. In my opinion, this is the latter, not
the former.

Regards,
Ambarish

P.S. If you can get the German standard changed to follow the
spec, that might not be a very bad idea.

---------------------------------------------------------------------
Ambarish Malpani
Architect                                                650.567.5457
ValiCert, Inc.                                  ambarish@valicert.com
1215 Terra Bella Ave.                         http://www.valicert.com
Mountain View, CA 94043-1833


> -----Original Message-----
> From: Andreas Berger [mailto:aberger@darmstadt.gmd.de]
> Sent: Monday, January 31, 2000 5:19 AM
> To: Ambarish Malpani
> Cc: 'ietf-pkix@imc.org'
> Subject: Re: German Law and OCSP
> 
> 
> Ambarish Malpani wrote:
> > 
> > Hi Guys,
> >     I recently read a document that seemed to indicate that
> > the German Digital Signature Law or some related documents
> > specified that you can use OCSP to check the revocation status
> > of a cert, but they allowed you to send over all 0's as the
> > hash of the CA's public key.
> 
> This is true. We introduced this option to enable the 
> end-system to make
> queries about certificates when the CA certificate is not (at least at
> the point of this check) known. Therefore, we allowed to "omit" the CA
> public key (resp. the hash) in the query. The hash is, of course,
> required in the reply.
> 
> >     Does anybody know more about whether the statement above
> > is true or not? If it is, I am concened that they might not be
> > using OCSP correctly.
> 
> We had to extend the functionality (it was mid 1998 if I remember
> correctly). OCSP supports (supported) only the CRL-like "CRL on-line"
> design. We needed (as Hans has written)
> 
> 1. Certificate was created, is in the service since T, and is not
> revoked
> 2. Certificate was created, is in the service since T, and is revoked
> 3. Certificate is unknown
> 
> which was not possible with then the OCSP.
> 
> Andreas Berger
> GMD Darmstadt
> -- 
> Keine Zeit haben wir genug!
>

Prev by Date: Latest Jonah code now available
Next by Date: Re: LAST CALL:draft-ietf-pkix-time-stamp-05.txt
Previous by thread: Re: German Law and OCSP
Next by thread: RE: German Law and OCSP
Index(es):
- Date
- Thread