RE: OCSP and LDAP

[pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)]

I wrote:

>I think one of the reasons why there aren't more complaints about CRLs is
>because so many apps only pay lip service to revocation checking, so it
>doesn't really matter if it doesn't work proprely ("We go through the motions
>because the CA policy requires it"/"It's turned off by default, but we can
<claim it's there"/"We realise the CRL is almost always out of date, but our
>accounting processes should catch any problems"/etc are all excuses I've
>heard).

Before someone leaps in here with the obvious "Well, DoD PKI users (or
something similar) do check CRLs, so they must be OK", what I was referring to
was the civilian masses who are expected to adopt PKI at some point.
Government users are a special case in that they have infinite resources to
throw at a project, can be ordered to use CRLs (or to charge a machine-gun),
and various other things that don't apply to the masses.

I realise that you can always dig up some user somewhere to illustrate some
point ("DoD users use X.400 email, so it must be OK"), but that's not a good
example of what the masses are doing.  I'm not going to be able to sell X.400
to commercial users on this basis, and a semi-functional validity checking
mechanism supplying out-of-date information is also rather a hard sell.  When
I hear users who do actually care about checking certs (for example ones using
them for medical EDI) say things like "We rely for the most part on the
hospitals to control access, and in any case it's no worse than the existing
paper-based system", I have to worry about how long they'll continue listening
to PKI advocates telling them how wonderful it's all going to be...

Peter.