[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: German Law and OCSP

To: Ambarish Malpani <ambarish@xxxxxxxxxxxx>
Subject: RE: German Law and OCSP
From: Rich Salz <salzr@xxxxxxxxxx>
Date: Mon, 28 Feb 2000 22:54:52 -0500 (EST)
Cc: "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>
In-reply-to: <>

> If a. is true, then you really need to send the whole cert to the
> VA and have the VA tell you if it was actually issued.

Or a hash of the cert.  The CA could generate an "issued list",
perhaps a signed sequence of hashes, and the OCSP Responder
could see if the hash the client sent was in the CA's whitelist.
(Unfortunately that area is rife with patents.)

> If b. then all you need to do is verify the signature on the cert
> and you are done - having the VA check for the cert in a directory
> is useless.

No -- see below.

> If I can get a level of security by relying on 1 component, I would
> prefer that solution, to one where I get the same level of security
> by relying on the security aspects of 2 components - the more
> pieces you need to be operated securely, the more insecure you
> solution.

Not necessarily: it depends on what "securely" really means.  If the
two components are under different domains of control, then you could
get greater security even if the level on each component is low.
In the above case, if someone has bribed a CA's overnight operator to
improperly sign a certificate, they'd presumably now have to spend
twice the amount of money to get the cert into the directory.  The
directory could say "we only accept certs after getting a phone
call from Mike Jones between 9am and 5pm."

	/r$

References:
- RE: German Law and OCSP
  - From: Ambarish Malpani

Prev by Date: RE: German Law and OCSP
Next by Date: Re: Cert Path Validation Bug in pkix-new-part1-00
Previous by thread: RE: German Law and OCSP
Next by thread: USM 2000 Submission deadline extended
Index(es):
- Date
- Thread