[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: German Law and OCSP

To: "'Denis Pinkas'" <Denis.Pinkas@xxxxxxxx>, "'Ambarish Malpani'" <ambarish@xxxxxxxxxxxx>
Subject: RE: German Law and OCSP
From: Simon Tardell <simon.tardell@xxxxxxxxxxx>
Date: Thu, 10 Feb 2000 16:46:13 +0100
Cc: "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>

> Before discussing the modifications or enhancements to be made to
> OCSP I would like that we go back to the rational of making them.
> 
> I have not been able to follow in details all the E-mails exchanges
> on that topic, so if this has already be posted on the mailing list,
> please indicate me in which message it is mentioned.
> 
> I would like to go behind arguments like "this is required in
> specification XXX". I would like to understand the rational of the
> requirements and, once these are identified, if there would be other
> solutions that could solve the same requirements.

> Changing a status in a spec. is an easy thing to do. Before doing
> anything like this, we (i.e. the WG) have to understand the
> implications.
> 
> Once said, let us come to the technical side. 
> 
> It seems to me that the purpose of this new service is to offer an
> additional guarantee which is that the certificate has really been
> issued by the right CA and is not a forgery of a certificate made
> using the CA compromised key. 

This discussion is first and foremost about how to express additional
assertions in OCSP (apart from revocation) in general, not any particular
assertion. 

As you say, issuance is not a question if you have the certificate at hand
and trust the CA certificate. However:

Andreas Berger wrote:
> We had to extend the functionality (it was mid 1998 if I remember
> correctly). OCSP supports (supported) only the CRL-like "CRL on-line"
> design. We needed (as Hans has written)

> 1. Certificate was created, is in the service since T, 
> and is not revoked
> 2. Certificate was created, is in the service since T, and is revoked
> 3. Certificate is unknown

> which was not possible with then the OCSP. 

In my understanding "is in service" means that the certificate can be
produced at one time, but should not be usable until some later time, e.g.
when the intended user confirms receipt of the corresponding token.

Simon.

Simon Tardell, Software Architect, iD2 Technologies
simon.tardell@iD2tech.com, http://www.iD2tech.com/
voice +46 8 7755225, cell +46 70 3198319, fax +46 8 7267912
European IT-prize grand winners 1998 -- http://www.it-prize.org
AU-System Group Swedish IT-company of the year 1999

Follow-Ups:
- Re: German Law and OCSP
  - From: Denis Pinkas

Prev by Date: FW: ISS Security Alert v.2
Next by Date: Re: German Law and OCSP
Previous by thread: Re: German Law and OCSP
Next by thread: Re: German Law and OCSP
Index(es):
- Date
- Thread