RE: DPD & DPV requirements - Recursion Issues

[Stephen Kent <kent@xxxxxxx>]

Frank,

> Wouldn't a DPD/DPV server solely carry out the task of discovering and
> validating paths, and possibly use other protocols (e.g., LPAP, OCSP, etc.),
> which might be recursive, to assist in this process? So unless sub-DPD/DPV
> servers take part in path discovery or validation I would not describe
> DPD/DPV as recursive.

I think we're mostly in agreement. We expect an DPV or DPD server to 
make use of other servers, e.g., LDAP and OCSP. If an LDAP server 
makes a recursive call, the results can (should?) still be 
"flattened" before returning to the user and have no security 
implications, since LDAP is not trusted.  So there's not necessarily 
and evidence of this hidden recursion in the response, nor any 
security implication.  For OCSP, I didn't think recursion is 
supported in the response structure, so the issue there is moot. 
Finally, as I noted earlier, this is most importantly a DPV issue, 
since no trust is vested in a DPD server. Still, we have to decide if 
there is merit in allowing recursive syntax for DPD responses.

Since we don't trust DPD servers per se, the only issue I see here is 
whether the DPD server to which a request was made can return OCSP 
responses that were gathered by other DPD servers, without making 
that obvious to the client. I'll rely on Ambarish or Mike to answer 
that question, since I don't recall the format details well enough.

Steve