[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DPD & DPV Basics

To: "Michael Myers" <myers@xxxxxxxxxxxxx>
Subject: RE: DPD & DPV Basics
From: Stephen Kent <kent@xxxxxxx>
Date: Fri, 12 Jan 2001 13:26:08 -0500
Cc: "PKIX List" <ietf-pkix@xxxxxxx>
In-reply-to: <>
References: <>

Mike,

Steve,

 > On Thursday, January 11, 2001, 3:05 PM you wrote:
 >
 > The strawman already calls for a DPD server to perform validation.

While I await WG consensus on the requirements, in Pittsburg the DPD I-D
authors observed that a DPD server need not be subject to ITSEC/Common
Criteria/whatever certification due to its untrusted role.  Suggesting that
a DPD server must perform validation seems to refute this objective.  A DPD
client certainly has every reason to expect that the information it receives
from a DPD server is well structured against the subject certificate. Any
thoughts on how we can or should balance these two?

There is no conflict here. As the strawman already notes, a DPD client is PKI-aware and is expected to validate the returned data. so any failure by the DPD server has no adverse security implications for the client, other than denial of service. A DPD server is still untrusted.

Steve

References:
- RE: DPD & DPV Basics
  - From: Michael Myers

Prev by Date: RE: DPD & DPV requirements - Recursion Issues
Next by Date: RE: DPD & DPV requirements - Recursion Issues
Previous by thread: RE: DPD & DPV Basics
Next by thread: Re: DPD & DPV Basics
Index(es):
- Date
- Thread