[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DPD & DPV requirements

To: "Slone, Skip" <skip.slone@xxxxxxxx>
Subject: RE: DPD & DPV requirements
From: Stephen Kent <kent@xxxxxxx>
Date: Wed, 10 Jan 2001 17:09:31 -0500
Cc: PKIX-List <ietf-pkix@xxxxxxx>
In-reply-to: <>
References: <>

Skip,

If we do agree to support DPV server recursion, then the suggested changes are appropriate ones to consider.

First, though, on what basis would you propose that a client enable/disable recursion or set a depth limit? Since a client is completely dependent on a DPV server to answer a query, and has no local means of validating any supporting data sent along with the answer, what does recursion say about the trust that the client places in the server? If one believes that trust is transitive, recursion may well be fine, and a simple numerical limit on depth of recursion would not seem to be a good way to express limits on the transitivity (e.g., one bad choice of a DPV server for reliance is enough to kill you). If you don't think trust is transitive, then recursion is inappropriate, unless you operate in a closed environment where the recursion is among servers operated by the same org and is really just an internal decision on how to implement the server.

Perhaps this is one reason why I am not yet comfortable with adding recursion to servers. I'd like to see some analysis of why it makes sense, whether it makes sense for both DPD and DPV, etc.

Steve

References:
- RE: DPD & DPV requirements
  - From: Slone, Skip

Prev by Date: RE: Basic Cert-2-Directory mapping question
Next by Date: Re: Basic Cert-2-Directory mapping question
Previous by thread: RE: DPD & DPV requirements
Next by thread: RE: DPD & DPV requirements
Index(es):
- Date
- Thread