[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Online Certificate Revocation Protocol
Massimiliano
Correct me if I'm wrong but I assumed the shared secret in a RevRequest
(section 5.11 draft-ietf-pkix-rfc2510bis-04.txt) would provide a system to
reduce the risk of DoS.
Paul Gogarty
ASN.1 Developer
De La Rue InterClear Ltd.
De La Rue House
Jays Close
Viables
Basingstoke
England
RG22 4BS
Fax: +44 (0)1256 487755
Tel: +44 (0)7879 458416
mailto:paul.gogarty@xxxxxxxxxxxxxxxx
http://www.interclear.co.uk/
-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx
[mailto:owner-ietf-pkix@xxxxxxxxxxxx]On Behalf Of Massimiliano Pala
Sent: Friday, June 08, 2001 10:02 AM
To: ietf-pkix@xxxxxxx
Subject: Re: Online Certificate Revocation Protocol
Carlin Covey wrote:
> But none of these allow a certificate to be revoked. I gather that
> you are interested in a protocol for requesting revocation of
certificates.
> Check out CMP, available at
> http://www.ietf.org/internet-drafts/draft-ietf-pkix-rfc2510bis-04.txt
This could be the case, anyway I was thinking of something more "robust"
and a little bit complex -- as request/response contents -- to prevent
unauthorized revoking requesting to prevent as much as possible DoS but
allowing for a simple revocation method. This could help environments where
legal issues are also covered -- govenment PKIs, Municipalities PKIs,
etc...
The model I've been thinking of is mostly based on a structure very similar
to the model proposed in OCSP. The choosen transport mechanism could be
HTTP -- this could help browsers in adding the functionality and CSP to
implement the service.
--
C'you,
Massimiliano Pala
--o-------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] madwolf@xxxxxxxxxx
madwolf@xxxxxxxxxxxxxxx
http://www.openca.org Tel.: +39 (0)59 270 094
http://openca.sourceforge.net Mobile: +39 (0)347 7222 365