[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Generalizing the concept of id-pkix-ocsp-nocheck

To: ietf-pkix@xxxxxxx
Subject: Generalizing the concept of id-pkix-ocsp-nocheck
From: Ambarish Malpani <ambarish@xxxxxxxxxxxx>
Date: Tue, 20 Jun 2000 21:26:55 -0700

I was recently having a conversation with a collegue and he
asked a question. Here goes:

In OCSP, we have support the concept of a CA issuing a special
certificate to an OCSP responder, allowing it to respond on its
[the CA's] behalf with a special extended key usage flag.

We also allow the CA to indicate that the responder's cert does
not need to be validated by having it include the
id-pkix-ocsp-nocheck extension in the responder's certificate.

Why can't the concept of including an id-pkix-ocsp-nocheck
extension in a certificate be extended to any arbitrary certificate
to indicate that it doesn't need to be validated?

If this makes sense, should this capability be specified in
son-of-rfc2459?

Comments?

Ambarish


---------------------------------------------------------------------
Ambarish Malpani
Architect                                                650.567.5457
ValiCert, Inc.                                  ambarish@valicert.com
339 N. Bernardo Ave.                          http://www.valicert.com
Mountain View, CA 94043

Follow-Ups:
- Re: Generalizing the concept of id-pkix-ocsp-nocheck
  - From: Russ Housley

Prev by Date: Re: Private Key Cloning (TSA keys)
Next by Date: RE: Private Key Cloning (TSA keys)
Previous by thread: RE: Private Key Cloning (TSA keys)
Next by thread: Re: Generalizing the concept of id-pkix-ocsp-nocheck
Index(es):
- Date
- Thread