[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OCSP and LDAP

To: "Peter Gutmann" <pgut001@xxxxxxxxxxxxxxxxx>, <ambarish@xxxxxxxxxxx>, <ietf-pkix@xxxxxxx>, <madwolf@xxxxxxxxxxxxxxx>
Subject: Re: OCSP and LDAP
From: "Anders Rundgren" <anders.rundgren@xxxxxxxxx>
Date: Sun, 5 Jan 2003 10:44:18 +0100
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

I agree with Peter.

I don't think OCSP in a not so distant future have to be more
technically costly than accessing a web-page.  Including a signed
answer.

Some banks in Sweden believe 20 cents/lookup is a reasonable
fee as it is "comparable to putting a stamp on a letter".

Personally I don't think the VA-business model has much future
as it complicates they way parties interact.  It essentially
requires two or three global VA-networks in the world to function
and that seems very unlikely to happen.  It feels like the VA business
model is crafted according to the lines of credit-card authorizations,
but that is a rather different type of business IMHO.

Pardon the slightly orthogonal input, but business & technology do
have rather interesting connections...

Anders

----- Original Message ----- 
From: "Peter Gutmann" <pgut001@xxxxxxxxxxxxxxxxx>
To: <ambarish@xxxxxxxxxxx>; <ietf-pkix@xxxxxxx>; <madwolf@xxxxxxxxxxxxxxx>; <pgut001@xxxxxxxxxxxxxxxxx>
Sent: Sunday, January 05, 2003 09:20
Subject: RE: OCSP and LDAP

"Ambarish Malpani" <ambarish@xxxxxxxxxxx> writes:

>I have still to see a place where using CRLs as the mechanism for letting a
>VA know of changes in the revocation data has led to poorer performance than
>having the VA access the CA's database directly.

Most of the CAs I know of issues CRLs a few times a day, some as infrequently
as once a day.  If I'm doing processing with any kind of value attached to the
transaction, I want to know whether the cert is valid right now, not whether
it was OK last night when the CRL was issued (substitute "credit card" for
"cert" to see why this is important).  I have never seen a situation where an
offline CRL gives better performance than a real-time check of a live
database, unless you happen to catch it just as the CRL is being issued, which
(for a 24-hour CRL time) only works about once in 86,400 times.

I think one of the reasons why there aren't more complaints about CRLs is
because so many apps only pay lip service to revocation checking, so it
doesn't really matter if it doesn't work proprely ("We go through the motions
because the CA policy requires it"/"It's turned off by default, but we can
claim it's there"/"We realise the CRL is almost always out of date, but our
accounting processes should catch any problems"/etc are all excuses I've
heard).  If you build a system where you can tell users that there's a simple
online check which guarantees that at the time the check was done the cert was
valid (rather than being valid a couple of hours ago) following the credit
card model that businesses are used to, perhaps people would lend more weight
to the value of checking.  Actually, as mentioned in my previous message,
implementors are already doing this, and have been doing it for some time,
because people care about real-time cert status information, it's just not
standardised in any spec (yet :-) so you get a pile of proprietary ways of
doing it.

Peter.

References:
- RE: OCSP and LDAP
  - From: Peter Gutmann

Prev by Date: RE: OCSP and LDAP
Next by Date: Re: OCSP and LDAP
Previous by thread: RE: OCSP and LDAP
Next by thread: RE: OCSP and LDAP
Index(es):
- Date
- Thread