[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DPD/DPV reqmts

To: ietf-pkix@xxxxxxx, Denis.Pinkas@xxxxxxxx
Subject: Re: DPD/DPV reqmts
From: Peter Sylvester <Peter.Sylvester@xxxxxxxxxx>
Date: Fri, 15 Mar 2002 21:02:45 +0100 (MET)
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


Some other remarks to the 'additional answers'.


> 
> [Additional Answer 5]
> 
> Authentication of the service before sending a request is not performed in
> similar protocols like OCSP. There is no particular reason to do so for this
> protocol.

Wrong, my dear Sir Denis Pinkas: 

! A.1.1 Request

   ...
!                         Where privacy is
!   a requirement, OCSP transactions exchanged using HTTP MAY be
!   protected using either TLS/SSL or some other lower layer protocol.

Unless, of course, if Thou thinkest that privacy does not include
authentication of the partner ... 

> 
> [Additional Answer 6]
> 
> There is no requirement on the protocol to support confidentiality. In the
> same way OCSP does not support confidentiality at the level of the protocol,
> but can support it at the transport level.


It seems that You don't understand. The requirement is there is
a privacy requirement, and the protocol designers should "provide"
or "use some means". A protocol can always respond to a
requirement by oits own means or use other services. 

Of course, as Thou hast said elsewhere, You might consider this
a extremely obvious, thus omitted.

> 
> [Additional Answer 7]
> 
> It is unclear what requirement is being addressed and what kind of treatment
> would be done with such an identity field.
This is not unclear, did Thou omittest 'for me'?

The requirement addressed is similar to the one in TSP that led
to the inclusing of a field tsa in the response. 

There is a difference of a 'declaration of identity' and 
authenticating it or deducing an identity from some authentication
means.  
 
> 
> [Additional Answer 8]
> 
> There are no requirement for relying nor referrals. We are not going to jump
> into the complexity of protocols like DAP(Directory Access Protocol). Note
> also that in addition to the YES/NO/DONTKNOW authenticable answer, the path
> elements may be returned.

May You (Denis) please avoid to use the word "We" in an ambiguous way.
Who is "We"?  How do these 'We" decide what?   

There is a requirement, similar as for OCSP caches,
that server just relays a request to another. This had been
discussed several times, the differences had only been to
what degree the relaying should become visible; whether one
server can rewrite/resigns the answers of another etc. 
Relaying via cache is an obvious feature in many OCSP implementation,
how do they protect itself against loops between two servers? 

Denis, it seems to me that You are confusing 
"I don't understand how to respond a requirement" 
with "there is no requirement". 

There is a requirement (at least I see one) that 
depending on a policy a server must return all reasons that 
contributed to his decision. And this may contain that it has
obtained a DPV response for a CA cert.  

> [Additional Answer 9]
> 
> As already said, there has been plenty of discussion on the list regarding
> the number of states.  People clearly want the fewest possible number.

You are confusing 'necessary' and 'useful'. 



Peter
PS: I always thought that 'You' is the correct polite way to address
to a specific person or a group, whilst 'you' just means somethng
limilar to 'one' in sentences like 'one might not want to implement this'.

Prev by Date: RE: Attribute Certificates and Privilege Policy
Next by Date: DPD/DPV reqmts strawpoll
Previous by thread: Re: DPD/DPV reqmts
Next by thread: DPD/DPV reqmts strawpoll
Index(es):
- Date
- Thread