[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: OCSP-X vs SCVP
> It seems to me that this discussion has focused on encoding and syntax, but
> not on the semantics of path creation and validation. In other words, what
> are the requirements for server-based (including delegated) path creation
> (or discovery) and validation.
Right, one should concentrate on the requirements.
>From your wording, it seems to me that you mainly interested in one use case,
i.e., determining the validity of a cert in order either to verify a signature
or authentication or to verify the validity of an encryption cert before
using it?
> I would like to see PKIX's solution support the ability for a client to make
> one request to a server to create and validate a certification path given an
> end-entity certificate, with the option of having the server return the path
> in its response. It should also be possible to include one or more
> end-entity certificates in a request.
If this requirement would be the only one, wouldn't be a conformant
implementation just be a sequence of certificates sent
within connection to an authenticatable server, and get a sequence of
chains back?
Other "possible" requirements or questions:
- The result of the service should not only be verifiable at the
moment when received by the client, but also later.
- If multiple certs are validated, should it be
possible to split the result, and keeping the possiblity of
authenticating the response parts, or not.
- Is a response independant of the request, or is it necessary
to include a reference to it in the longterm authenticable
part.
- The server indicates why the certification path is valid and what
efforts have been made.
- The response may be included in some data (for example as
part of a signed attribute).
- The service should help to verify a xmldsig signature. I.e., the
result should allow a thin client to present a human readable
interpretation of the certificate and the verified path without
looking at the asn1 blobs.
- ...