[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: German Law and OCSP

To: "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>
Subject: RE: German Law and OCSP
From: Ambarish Malpani <ambarish@xxxxxxxxxxxx>
Date: Thu, 24 Feb 2000 19:52:59 -0800

Hi Alistair,
    Didn't you want to scrap OCSP entirely, anyway? :-)

How a VA gets and keeps access to its revocation data doesn't
need to involve access to the CAs repository. It could keep the
data locally/in memory.

Yes, I agree, you could return tryLater, the main thing I would
question is the value of making that a requirement on the
VA.

Regards,
Ambarish

---------------------------------------------------------------------
Ambarish Malpani
Architect                                                650.567.5457
ValiCert, Inc.                                  ambarish@valicert.com
1215 Terra Bella Ave.                         http://www.valicert.com
Mountain View, CA 94043-1833


> -----Original Message-----
> From: Grant, Alistair [mailto:Alistair.Grant@ca.com]
> Sent: Thursday, February 24, 2000 3:54 PM
> To: Ambarish Malpani; 'ietf-pkix@imc.org'
> Subject: RE: German Law and OCSP
> 
> 
> Ambarish Malpani wrote:
> > II. The "publicly available" clause needs to be carefully
> > interpreted. I don't think it makes sense to force the VA
> > to try and retrieve the certificate in question from a
> > directory, because you *will* hit the situation where a
> > certificate was, in fact correctly issued, but because of
> > some transient network/machine problem, the VA can't get to
> > the repository for an instant in time. In that case, should
> > the VA return a status of bad/revoked/unknown/good? Which of
> > the responses is "correct"?
> 
> If we take this reasoning one step further, the responder 
> can't get the CRL
> because of some transient network/machine problem, what 
> should be done?
> Taking this to the (ridiculous) extreme, does that mean we 
> shouldn't force
> the responder to try and retrieve the CRL?
> 
> I think the common answer will be that the responder returns 
> unknown or
> tryLater until the CRL becomes available.
> 
> I don't believe that this particular argument holds against 
> requiring the
> responder to retrieve the certificate as part of the status check.
> 
> 
> Cheers,
> 
> 
> Alistair Grant
> Project Manager - Development
> Computer Associates, OpenDirectory Lab
> Melbourne, Victoria, Australia
> Phone:	+61 3 9727 8912
> Mobile:	+61 408 565 080
> Fax:	+61 3 9727 3491
> E-Mail:	Alistair.Grant@ca.com
>

Prev by Date: What if the CRL distribution points for a CA change?
Next by Date: Re: What if the CRL distribution points for a CA change?
Previous by thread: Unsub
Next by thread: RE: German Law and OCSP
Index(es):
- Date
- Thread