Re: DPD & DPV Basics

[Paul Hoffman / IMC <phoffman@xxxxxxx>]

At 2:09 PM -0500 1/15/01, Steve Hanna wrote:
>  >From this message and several others, I gather that the basic motivation
> for having a DPV server is to provide services to simple, "PKI-ignorant"
> clients. Could someone please supply some examples of such clients? What
> protocols will they be speaking (other than the DPV protocol)? This
> would be very useful in determining the proper requirements for the DPV
> protocol.

Well, the one that started me on SCVP a few years ago was IPsec 
implementations. All they really care about is "is the party that 
just presented me with credentials someone for whom I have a security 
policy?". They use PKI to get that information, but they actually 
don't care about what the identity is after they have a) verified 
that they trust the identity and then b) found a match for it in 
their security policy set.

Another example would be non-human S/MIME clients, such as a secure 
automated order-processing that uses CMS messages over email. If the 
recipient of the message can establish trust in the identity in the 
cert and knows what to do with messages from that identity, that 
recipient doesn't really care about the identity itself.

In both cases, the details of what the path to the root is, who is in 
that path, and why they are in that path, are irrelevant. "Is this 
the signing/encrypting key for someone with whom I have an automated 
security policy: yes or no?"

--Paul Hoffman, Director
--Internet Mail Consortium