RE: DPD & DPV: Strawman proposals - DPD signatures

[Peter Sylvester <Peter.Sylvester@xxxxxxxxxx>]

> 
> Does DPD necessarily need to sign the result?
> I thought a DPD server was more analogous to an LDAP directory - you don't
> have to "trust" them (though you may rely on their collective availability).
> D = Discovery

Why not consider using an LDAP query for DPD,
i;e.,  and define either some additional control if necessary, or 
just the data that have to be put into this 'server', and the
queries that have to be send. 

This would work in some way with CRLs and certs. 
 
> A DPD searches out all the required items (certs, CRLs, OCSP responses,
> timestamps, ...), but each of those items has its own signature so the DPD
> server itself does not have to be trusted (in the same sense that you don't
> need to trust a directory that stores certificates).
> 
> 
> [Note: this is in sharp contrast to DPV (V = validation), where there is
> definite trust placed in the server so it must be authenticated as the
> origin of the result.  Another reason for separate protocols.]

If the DPV response is not intended to be stored by the client
together with some other data, but just to make a local decision,
then no signature is necessary, only server authentication, for
example by SSL/TLS. If the client application want to store the
result this is different.

It may be necessary that the response can be authenticated later
by another verifying entity, this mean that an appropriate
security envelope is necessary. A signature is one possible way.

----

How many people think that we are talking about two separate
protocols?