Re: OCSP and LDAP

["Anders Rundgren" <anders.rundgren@xxxxxxxxx>]

<snip>

>Lets take another example ... driver's license. If you get stopped .... the
>typical real-time, online response isn't about whether the license is
>revoked or not (that is trivial subset) .... it is how many traffic
>citations/warrents are outstanding .... number of parking tickets, and
>potentially some number of other pieces of real-time, dynamic information.

No problems.
The licensee authenticates to the "traffic police server" which uses
OCSP to verify that the TTP-issued license is not revoked. 
Assuming the license was OK the server then invokes other
"authorities" for any additional information needed using the 
identity as given in the license (certificate).  The result is returned
as a nicely formatted screen on the officer's PDA.  Except for
the fact that the screen is static [:-)], I don't see any particular
staleness here.  Unless for the *possible* reliance on CRLs
you have a problem with.  But CRLs are just an option.

But you do have a point.  To put a lot of potentially stale information 
in a certificate is a bad idea.  "Employee certificates" is an example
of a broken scheme as they vouch for not less than three things: 
An individual, an organization, and an unspecified [= totally useless]
association between these two entities.  Here I really believe that your
on-line, real-time paradigm will become the norm.

<snip>

Anders