[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DPD & DPV Basics

To: Stephen Kent <kent@xxxxxxx>
Subject: Re: DPD & DPV Basics
From: Steve Hanna <steve.hanna@xxxxxxx>
Date: Fri, 12 Jan 2001 16:31:50 -0500
Cc: PKIX List <ietf-pkix@xxxxxxx>
Organization: Sun Microsystems, Inc.
References: <> <>

Stephen Kent wrote:
> >Here's my take on the basic concepts of DPD and DPV:
> >
> >The basic job of a DPV server is to validate a certification path. In
> >its most basic form, it will perform the following steps:
> >
> >1) Receive a request containing a certification path and other inputs
> >    to the validation algorithm (trust anchors, required certificate
> >    policies, etc.)
> >2) Validate the supplied certification path using the supplied inputs
> >3) Send a response containing the results of the validation (at least,
> >    an indication of success or failure)
> >
> >Many refinements to this are possible: the client supplying only a
> >subset of the necessary inputs (by referring to an established policy),
> >the server returning supporting evidence such as CRLs and OCSP
> >responses, the client supplying CRLs or OCSP responses that may be
> >useful to the server, etc. But I think it may be useful to reach
> >agreement on the basic model described above before discussing these
> >refinements (however worthy).
> 
> I think the "refinement" re completeness of input is a basic issue,
> not just a refinement.  Also, the control inputs (non-cert and
> non-revocation status data) for validation may be explicit or
> references. I think the strawman motivated the need for both forms of
> specification, based on client capabilities, and the desire for
> centralized control of validation in some environments.  Also, the
> need for the DPV server to return data that supports NR seems like an
> important feature, for some set of apps, though not all.

Several people seem to have interpreted "refinement" as "not required".
I didn't mean that. I just wanted to focus on the most basic function of
a DPV or DPD server to make sure we had agreement on what that is.

> >I look forward to seeing a discussion on this topic. If no discussion
> >results, I suppose that I will conclude that there is general agreement
> >about these basic concepts. However, simple affirmative messages
> >agreeing with these basic concepts would be useful in judging rough
> >consensus.
> 
> I agree with the basic notions here, as qualified above.

Thanks for your prompt response.

-Steve

References:
- DPD & DPV Basics
  - From: Steve Hanna
- Re: DPD & DPV Basics
  - From: Stephen Kent

Prev by Date: Re: DPD & DPV Basics
Next by Date: RE: Basic Cert-2-Directory mapping question
Previous by thread: Re: DPD & DPV Basics
Next by thread: RE: DPD & DPV Basics
Index(es):
- Date
- Thread