[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Generalizing the concept of id-pkix-ocsp-nocheck

To: "'Russ Housley'" <housley@xxxxxxxxxx>
Subject: RE: Generalizing the concept of id-pkix-ocsp-nocheck
From: Ambarish Malpani <ambarish@xxxxxxxxxxxx>
Date: Fri, 23 Jun 2000 10:30:30 -0700
Cc: ietf-pkix@xxxxxxx

I am suggesting that a CA does not require you to do a revocation
check on that certificate.

The reason a CA might want to do this is:

a. The CA has rules which say that the guarantees associated with
such certificates are more limited (e.g. utility certs in Identrus).

b. The CA "knows" that the cert will never be revoked [because
the CA controls that key with exactly the same care with which its
root key is protected].

c. The CA is trying to protect from infinite recursion [e.g. the
OCSP responder cert or maybe its indirect CRL signing cert].

Do we need to distinguish between a and b? Or should the CA do that
in its policies?

Regards,
Ambarish

---------------------------------------------------------------------
Ambarish Malpani
Architect                                                650.567.5457
ValiCert, Inc.                                  ambarish@valicert.com
339 N. Bernardo Ave.                          http://www.valicert.com
Mountain View, CA 94043


> -----Original Message-----
> From: Russ Housley [mailto:housley@spyrus.com]
> Sent: Thursday, June 22, 2000 1:45 PM
> To: Ambarish Malpani
> Cc: ietf-pkix@imc.org
> Subject: Re: Generalizing the concept of id-pkix-ocsp-nocheck
> 
> 
> Ambrish:
> 
> Are you suggesting that the replying party should blindly accept any 
> certificate that contains this flag?  Or, are you suggesting 
> that the flag 
> indicates that no revocation information is available for the 
> certificate?
> 
> Russ
> 
> 
> At 09:26 PM 06/20/2000 -0700, Ambarish Malpani wrote:
> 
> >I was recently having a conversation with a collegue and he
> >asked a question. Here goes:
> >
> >In OCSP, we have support the concept of a CA issuing a special
> >certificate to an OCSP responder, allowing it to respond on its
> >[the CA's] behalf with a special extended key usage flag.
> >
> >We also allow the CA to indicate that the responder's cert does
> >not need to be validated by having it include the
> >id-pkix-ocsp-nocheck extension in the responder's certificate.
> >
> >Why can't the concept of including an id-pkix-ocsp-nocheck
> >extension in a certificate be extended to any arbitrary certificate
> >to indicate that it doesn't need to be validated?
> >
> >If this makes sense, should this capability be specified in
> >son-of-rfc2459?
> >
> >Comments?
> >
> >Ambarish
> >
> >
> >---------------------------------------------------------------------
> >Ambarish Malpani
> >Architect                                                650.567.5457
> >ValiCert, Inc.                                  ambarish@valicert.com
> >339 N. Bernardo Ave.                          http://www.valicert.com
> >Mountain View, CA 94043
>

Prev by Date: Re: Generalizing the concept of id-pkix-ocsp-nocheck
Next by Date: Trading Partner Web Certificates
Previous by thread: Re: Generalizing the concept of id-pkix-ocsp-nocheck
Next by thread: RE: self-signed TSA [Was Re: Private Key Cloning]
Index(es):
- Date
- Thread