[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DPD & DPV requirements - Recursion Issues

To: "Peter Sylvester" <Peter.Sylvester@xxxxxxxxxx>, <ietf-pkix@xxxxxxx>, <ccovey@xxxxxxxxxx>
Subject: RE: DPD & DPV requirements - Recursion Issues
From: "vishal jakhar" <vjakhar@xxxxxxxxxxxxxxxxx>
Date: Fri, 12 Jan 2001 21:25:29 +0530
Importance: Normal
In-reply-to: <>

Dear Frank and Peter,
To my knowledge the term "Transitive trust" is definately there.
Since a client trusts server 1,any information that comes back from
it is treated as trusted, no matter what other parties are included 
in the response. And since I trust server 1 really does not mean 
that I should trust server 2,but since server 1 is trusting server 2
It forms a trust chain, in which I am trusting server 2 indirectly.
This indirect trust should be invisible to the client ,so that the 
client thinks that he is trusting only the party he trusts.
                 It is better to repackage the response instead 
of using a recursive approach, because the client should be unaware
of the recursion.
regards ,
Vishal .

-----Original Message-----
From: Peter Sylvester [mailto:Peter.Sylvester@xxxxxxxxxx]
Sent: Friday, January 12, 2001 3:28 PM
To: ietf-pkix@xxxxxxx; ccovey@xxxxxxxxxx
Subject: RE: DPD & DPV requirements - Recursion Issues


> 
> Frank and Peter,
> 
> I'd be happy for someone to define a set of terms for use in this
> context, if it would benefit the discussion.
Yes.

> 
> The "transitive trust" issue that was referred to earlier arises in
> the context of "relaying" DPV status.  The client asks server 1 to 
> validate the status of a certificate, and server 1 "relays" some or
> all of the validation process to server 2.  When the response comes
> back from server 2, server 1 then prepares a response to the client
> based wholly or in part on the information obtained from server 2.

Where do you have "transitive trust"? Client trusts server 1, and that's
all. Client may inspect server 1 response in order to inform its "client"
that server 1 came to whatever conclusion because he has reveived
an answer from 2, but that doen not mean that client has to trust server 2.

> 
> When I originally used the term "recursion" I had in mind a recursive
> data structure, i.e. a DPD response that contains another DPD
> response that might in turn contain another DPD response.  This is one
> method for returning the "relayed" status information to the client. 


> This particular method raises the syntactic complexity issue that
> was mentioned in a previous email.  This syntactic complexity is avoided
> if server 1 extracts information from server 2's response and repackages 
> it into a nonrecursive data structure that it then sends to the client.

I have in mind that the server 1 always creates a new answer. This answer
is authoritive. As an additional information, OCSP responses, other servers
responses are added. A client does not need to look at them in order to
do this business. 

> As I mentioned in an earlier email, one advantage of the recursive data
> structure is that it allows the optional timestamp on the embedded DPD
> responses to be retained.

Whatever is contained in a response, it is left untouched. 

regards
peter

References:
- RE: DPD & DPV requirements - Recursion Issues
  - From: Peter Sylvester

Prev by Date: RE: DPD & DPV requirements - Recursion Issues
Next by Date: I-D ACTION:draft-ietf-pkix-usergroup-00.txt
Previous by thread: RE: DPD & DPV requirements - Recursion Issues
Next by thread: RE: DPD & DPV requirements - Recursion Issues
Index(es):
- Date
- Thread