RE: Offline Root CA with valid CRL hierachie

["Santosh Chokhani" <chokhani@xxxxxxxxxxxx>]

Steve:

The question is not of Root revocation, but of establishing trust in and
checking the revocation status (if the trust is certificate based) of the
OCSP Responder itself.

In the other comments, I do not see an area where you disagree with me.  If
you do, please point that out to me.

-----Original Message-----
From: Steve Hanna [mailto:steve.hanna@xxxxxxx] 
Sent: Friday, January 03, 2003 2:43 PM
To: Santosh Chokhani
Cc: ietf-pkix@xxxxxxx
Subject: Re: Offline Root CA with valid CRL hierachie


Santosh Chokhani wrote:
> I am thoroughly confused.  First, what I am proposing will work if the 
> RP is using indirect CRL.  I am making a modest assumption that an RP 
> that can process indirect CRL can also process full and complete CRL.

Right. The primary benefit of pre-issued CRLs over indirect CRLs or OCSP is
that pre-issued CRLs work with any RP that can process CRLs (any RFC 3280
compliant RP) whereas the others require support for features not required
by RFC 3280.

> In terms of OCSP, if your solution is OCSP only, I still think the 
> approach I suggest will be a good way to supply the revocation 
> information to the OCSP responders, specially if there are many of 
> them or if you want to the convenience of distributing the revocation 
> information over untrusted networks.

I don't know much about how people generally supply
revocation information to OCSP responders. Certainly,
I expect that your system would work fine. But I expect
that many OCSP responders would support indirect CRLs,
so that might also be a solution. And some people might
just use SSH. I don't know.

> How the OCSP Responder for off-line root revocation should be 
> architected is a separate topic with its own nuances.

I didn't think we were discussing how to revoke a root.
As you say, that's a separate topic. Let's leave it aside
for now, unless there's some pressing need to address it.

-Steve