[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: OCSP and LDAP

To: "Peter Gutmann" <pgut001@xxxxxxxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>, <madwolf@xxxxxxxxxxxxxxx>
Subject: RE: OCSP and LDAP
From: "Ambarish Malpani" <ambarish@xxxxxxxxxxx>
Date: Sun, 5 Jan 2003 09:53:27 -0800
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


Hi Peter,
     I agree completely with the statements that people don't
really use CRLs and that getting up to date information to all
clients via CRLs is hard.

    I, too, wish people would just use OCSP and move on with things.
That was the whole idea behind doing Valicert.

As I explained before - using CRLs as a mechanism for getting
snapshots from the CA, ability to accept emergency CRLs and the
ability to revoke/suspend at the VA give people all the benefits
of OCSP without needing to change their CA or have their VA tied
into the CA/need access to the CAs database.

Regards,
Ambarish

---------------------------------------------------------------------
Ambarish Malpani                                         650.759.9045
Malpani Consulting Services                      ambarish@xxxxxxxxxxx
http://www.malpani.biz



> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx
> [mailto:owner-ietf-pkix@xxxxxxxxxxxx]On Behalf Of Peter Gutmann
> Sent: Sunday, January 05, 2003 12:20 AM
> To: ambarish@xxxxxxxxxxx; ietf-pkix@xxxxxxx; madwolf@xxxxxxxxxxxxxxx;
> pgut001@xxxxxxxxxxxxxxxxx
> Subject: RE: OCSP and LDAP
>
>
>
> "Ambarish Malpani" <ambarish@xxxxxxxxxxx> writes:
>
> >I have still to see a place where using CRLs as the mechanism
> for letting a
> >VA know of changes in the revocation data has led to poorer
> performance than
> >having the VA access the CA's database directly.
>
> Most of the CAs I know of issues CRLs a few times a day, some as
> infrequently
> as once a day.  If I'm doing processing with any kind of value
> attached to the
> transaction, I want to know whether the cert is valid right now,
> not whether
> it was OK last night when the CRL was issued (substitute "credit card" for
> "cert" to see why this is important).  I have never seen a
> situation where an
> offline CRL gives better performance than a real-time check of a live
> database, unless you happen to catch it just as the CRL is being
> issued, which
> (for a 24-hour CRL time) only works about once in 86,400 times.
>
> I think one of the reasons why there aren't more complaints about CRLs is
> because so many apps only pay lip service to revocation checking, so it
> doesn't really matter if it doesn't work proprely ("We go through
> the motions
> because the CA policy requires it"/"It's turned off by default, but we can
> claim it's there"/"We realise the CRL is almost always out of
> date, but our
> accounting processes should catch any problems"/etc are all excuses I've
> heard).  If you build a system where you can tell users that
> there's a simple
> online check which guarantees that at the time the check was done
> the cert was
> valid (rather than being valid a couple of hours ago) following the credit
> card model that businesses are used to, perhaps people would lend
> more weight
> to the value of checking.  Actually, as mentioned in my previous message,
> implementors are already doing this, and have been doing it for some time,
> because people care about real-time cert status information, it's just not
> standardised in any spec (yet :-) so you get a pile of proprietary ways of
> doing it.
>
> Peter.
>

References:
- RE: OCSP and LDAP
  - From: Peter Gutmann

Prev by Date: RE: OCSP and LDAP
Next by Date: RE: OCSP and LDAP
Previous by thread: RE: OCSP and LDAP
Next by thread: RE: OCSP and LDAP
Index(es):
- Date
- Thread