[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Which protocol - SCVP or OCSPv2 with OCSPpath/OCSPvalid?

To: "'ietf-pkix@xxxxxxx '" <ietf-pkix@xxxxxxx>
Subject: Which protocol - SCVP or OCSPv2 with OCSPpath/OCSPvalid?
From: Ambarish Malpani <ambarish@xxxxxxxxxxxx>
Date: Fri, 10 Nov 2000 13:42:07 -0800


Here are some of my thoughts on why I think SCVP is the right
way to go ahead with remote path processing (RPP), rather than
creating a new version of OCSP (OCSPv2) and then defining OCSPpath
and OCSPvalid.

Issues with OCSPv2
------------------
- It causes uncertainity and concern about OCSP, even though there
aren't really any problems with the protocol itself
- It will cause a bunch of interoperability issue with OCSP for
certificate status checks, because now you can identify a
certificate in many different ways
- The semantics of what a server is required to do for a plain
OCSP request are unclear - does it need to check the expiry of
the certificate, what about the signature, etc on the cert?
- It is unclear to me that the right thing to do is to change a
stable protocol just to add a bunch of new functionality, that
doesn't really do anything more for the base protocol.
- If we go this route, we will take a lot longer to actually
reach a usable spec for RPP, because our first 12 months will
be spend debating the changes to OCSP
- I would actually like the current OCSP, with some minor
clarifications and changing of the required signature algorithm
to RSA (from DSA), to continue on the standards track, we have
actually had a reasonable amount of interop testing on it


Issues with this approach
-------------------------
- It is very unclear to me that OCSPvalid is trying to do the
same thing as OCSP. So why is there such a strong interest in
doing it as an extension to OCSP - I believe it will actually
cause more confusion than clarification, where when somebody
says they support OCSP and another person wants to use OCSP, there
is no guarantee that they are talking about the same thing.


Ambarish

---------------------------------------------------------------------
Ambarish Malpani
Architect                                                650.567.5457
ValiCert, Inc.                                  ambarish@valicert.com
339 N. Bernardo Ave.                          http://www.valicert.com
Mountain View, CA 94043

Prev by Date: RE: DPV vs SCVP
Next by Date: RE: OCSP-X vs SCVP
Previous by thread: RE: DPV vs SCVP
Next by thread: RE: Which protocol - SCVP or OCSPv2 with OCSPpath/OCSPvalid?
Index(es):
- Date
- Thread