[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: DPD & DPV requirements - Recursion Issues

To: Peter Sylvester <Peter.Sylvester@xxxxxxxxxx>
Subject: RE: DPD & DPV requirements - Recursion Issues
From: Stephen Kent <kent@xxxxxxx>
Date: Fri, 12 Jan 2001 17:52:34 -0500
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>
References: <>

Peter,

> Whatever is contained in a response, it is left untouched. > > [Carlin's latest response] OK, but what if there is no provision in the > DPD response syntax for including an embedded DPD response? The good news > is that the timestamp on the embedded DPD response is untouched. The bad > news is that you can't include an embedded DPD response. Catch vingt-deux.
I am not the best candidate to answer questions about DPD. I am mainly
interested in DPV (as some might imagine).
Anyway, if I understand Mike Myers remark correctly, if a DPD server
is essentially untrusted, then it could basically just rewrite a relayed
response.

Yes, but that will be caught by the client of a DPD server, even a DPV server that acts as a DPD client in performing it's function, as Steve Hanna suggests.

A DPD server might have performed an OCSP check or a DPV check (for example
to validate a CA cert.) The response should be sent back to the DPD
client, this can be used by the client to make a decision about the
acceptablity of the path.

An OCSP response if fair game. but I'm not sure I want the DPV response to be used recursively, yet.

Steve

References:
- RE: DPD & DPV requirements - Recursion Issues
  - From: Peter Sylvester

Prev by Date: Re: DPD & DPV requirements
Next by Date: Re: DPD & DPV Basics
Previous by thread: RE: DPD & DPV requirements - Recursion Issues
Next by thread: RE: DPD & DPV requirements - Recursion Issues
Index(es):
- Date
- Thread