[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: German Law and OCSP

To: "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>
Subject: RE: German Law and OCSP
From: Ambarish Malpani <ambarish@xxxxxxxxxxxx>
Date: Mon, 28 Feb 2000 14:06:14 -0800

Hi Rich,
    Answers inline.

Ambarish

> -----Original Message-----
> From: Salz, Rich [mailto:SalzR@CertCo.com]
> Sent: Monday, February 28, 2000 2:03 PM
> To: 'Ambarish Malpani'; 'ietf-pkix@imc.org'
> Subject: RE: German Law and OCSP
> 
> 
> >c. The responder (VA) verify that the cert was contained in "the"
> directory.
> 
> Is VA now a generic term for OCSP responder?  I thought you 
> guys trademarked
> it. Be careful, you don't want to go the way of kleenex... :)

Actually, I am not sure that we have done so - good idea :-)

> 
> >ANOTHER CERTIFICATE WITH THE SAME
> >SERIAL NUMBER WAS ISSUED AND IS IN THE DIRECTORY!
> 
> How so?  Since the certID includes the issuerNameHash, it 
> identifies the
> issuer, and since the issuer doesn't re-use serial#'s,...  There are
> performance impliciations -- it might require a directory to index by
> HASH(issuer_dn) -- but that seems surmountable.  There are 
> other approaches,
> such as having an OCSP responder which gets both certs and 
> crl's, not just
> revocation data.  (Modesty prevents me from naming names :)

Yes, Rich - what you say would be true if nobody could forge a
CA's signature, but in that case the person making the request
could just verify the signature on the cert itself and you would
not get any added benefit from having the VA look up the directory
for the existance of the cert.

The point I have been trying to make is:
a. Either you think the CA's signature can be forged
b. Or, you don't.

If a. is true, then you really need to send the whole cert to the
VA and have the VA tell you if it was actually issued.

If b. then all you need to do is verify the signature on the cert
and you are done - having the VA check for the cert in a directory
is useless.

> 
> It also puts the directory into part of the trusted base.  In general
> directories aren't put there, but if that's what the lawyers 
> wrote, then
> we techies can only comply.


Again, as a techie, I like to make my own life as simple as I can.
If I can get a level of security by relying on 1 component, I would
prefer that solution, to one where I get the same level of security
by relying on the security aspects of 2 components - the more
pieces you need to be operated securely, the more insecure you
solution.

Hope this clarifies things,
Regards,
Ambarish

Follow-Ups:
- RE: German Law and OCSP
  - From: Rich Salz

Prev by Date: RE: Cert Path Validation Bug in pkix-new-part1-00
Next by Date: RE: German Law and OCSP
Previous by thread: RE: German Law and OCSP
Next by thread: RE: German Law and OCSP
Index(es):
- Date
- Thread