[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: OCSP and LDAP

To: "Peter Gutmann" <pgut001@xxxxxxxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>, <madwolf@xxxxxxxxxxxxxxx>
Subject: RE: OCSP and LDAP
From: "Ambarish Malpani" <ambarish@xxxxxxxxxxx>
Date: Sat, 4 Jan 2003 23:53:50 -0800
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


Hi Peter,
    I have still to see a place where using CRLs as the
mechanism for letting a VA know of changes in the revocation
data has led to poorer performance than having the VA access
the CA's database directly.

It also allows larger PKIs to deploy responders in multiple
remote locations (where they might not want to replicate their CAs
databases).

Regards,
Ambarish

---------------------------------------------------------------------
Ambarish Malpani                                         650.759.9045
Malpani Consulting Services                      ambarish@xxxxxxxxxxx
http://www.malpani.biz



> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx
> [mailto:owner-ietf-pkix@xxxxxxxxxxxx]On Behalf Of Peter Gutmann
> Sent: Saturday, January 04, 2003 9:31 PM
> To: ambarish@xxxxxxxxxxx; ietf-pkix@xxxxxxx; madwolf@xxxxxxxxxxxxxxx
> Subject: RE: OCSP and LDAP
>
>
>
> "Ambarish Malpani" <ambarish@xxxxxxxxxxx> writes:
>
> >You should seriously consider having your responder work off a CA's CRL,
> >rather than trying to access its database directly. There are a set of
> >reasons why this is a good idea. Here are are few (in no
> particular order):
>
> You should seriously consider having your responder work off a
> CA's database
> rather than trying to use CRLs. There are a set of reasons why
> this is a good
> idea. Here are are few (in no particular order):
>
> - Real-time cert status rather than inserting an artificial delay for
>   compatibility with OSI ideology (someone once said that the only reason
>   you'd want to drive an online status protocol from an offline mechanism
>   is if you wanted to emphasise how broken it was [0]).
>
> - Much better performance (I have an RFC draft in the works which looks at
>   this which should be out RSN, I hope).  You can't build a
> faster system than
>   the one described in the RFC.
>
>   (Actually in the process of working on the RFC draft, I've
> discovered that
>   there are already a surprising number of implementations which
> work directly
>   from a CA database, some dating back to before OCSP was even an RFC.
>   Standardising this operation, rather than having everyone do their own
>   proprietary version, was one of the motivations for writing the draft).
>
> [0] I've lost the source of this quote, if it's yours please let
> me know so I
>     can attribute it.
>
> Hope this helps,
> Regards,
> Peter.
>

References:
- RE: OCSP and LDAP
  - From: Peter Gutmann

Prev by Date: RE: OCSP and LDAP
Next by Date: RE: OCSP and LDAP
Previous by thread: RE: OCSP and LDAP
Next by thread: RE: OCSP and LDAP
Index(es):
- Date
- Thread