[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DPD & DPV Basics

To: Michael Myers <myers@xxxxxxxxxxxxx>
Subject: Re: DPD & DPV Basics
From: Steve Hanna <steve.hanna@xxxxxxx>
Date: Fri, 12 Jan 2001 14:51:02 -0500
Cc: PKIX List <ietf-pkix@xxxxxxx>
Organization: Sun Microsystems, Inc.
References: <>

Michael Myers wrote:
> > On Thursday, January 11, 2001 12:34 PM you wrote:
> > The basic job of a DPD server is to discover a certification path. In
> > its most basic form, it will perform the following steps:
> >
> > 1) Receive a request containing a target certificate and inputs to the
> >    validation algorithm (trust anchors, etc.)
> > 2) Attempt to discover a certification path ending in the target
> >    certificate that will validate properly given the supplied inputs
> > 3) Send a response containing the results of the discovery process
> >    (at least an indication of success or failure and, in the success
> >    case, the discovered certification path)
> >
> 
> The current DPD I-D also defines a fourth area of functionality.  It enables
> a client to iteratively discover a path acceptable to the client in the case
> where a given certificate may be subject to multiple valid paths.

I'd say that's a refinement on the basic form listed above. It's
interesting, though. As I read your I-D, the RetryReference (which I
think is what you're referring to) allows the client to say "try again,
I didn't like that path". If there are many possible paths (as there
would be in a mesh topology), this probably won't work well. It would be
more efficient for the client to say what it's looking for in a path.

What things do you think a client might be looking for that couldn't be
expressed in the parameters supplied to the DPD server? And why? If
there is a short list with good reasons for each, we could provide a
standard way for the client to request those. But we should probably
provide this mechanism to handle the cases we missed. Of course, the
client could just refer to a validation policy OID that the server and
client both understand. But this won't handle the case where the server
and client haven't agreed on such a policy. Or where the client's
requirement is variable (all certs must contain a custom extension whose
contents match the project name I'm working on, or some such).

-Steve

References:
- RE: DPD & DPV Basics
  - From: Michael Myers

Prev by Date: Re: DPD & DPV Basics
Next by Date: Re: DPD & DPV Basics
Previous by thread: RE: DPD & DPV Basics
Next by thread: Re: DPD & DPV Basics
Index(es):
- Date
- Thread