[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: German Law and OCSP

To: "'Ambarish Malpani'" <ambarish@xxxxxxxxxxxx>, "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>
Subject: RE: German Law and OCSP
From: "Salz, Rich" <SalzR@xxxxxxxxxx>
Date: Mon, 28 Feb 2000 17:02:34 -0500

>c. The responder (VA) verify that the cert was contained in "the"
directory.

Is VA now a generic term for OCSP responder?  I thought you guys trademarked
it. Be careful, you don't want to go the way of kleenex... :)

>ANOTHER CERTIFICATE WITH THE SAME
>SERIAL NUMBER WAS ISSUED AND IS IN THE DIRECTORY!

How so?  Since the certID includes the issuerNameHash, it identifies the
issuer, and since the issuer doesn't re-use serial#'s,...  There are
performance impliciations -- it might require a directory to index by
HASH(issuer_dn) -- but that seems surmountable.  There are other approaches,
such as having an OCSP responder which gets both certs and crl's, not just
revocation data.  (Modesty prevents me from naming names :)

It also puts the directory into part of the trusted base.  In general
directories aren't put there, but if that's what the lawyers wrote, then
we techies can only comply.

Prev by Date: Re: Straw Poll: SerialNumber definition
Next by Date: RE: Cert Path Validation Bug in pkix-new-part1-00
Previous by thread: RE: German Law and OCSP
Next by thread: RE: German Law and OCSP
Index(es):
- Date
- Thread