[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Offline Root CA with valid CRL hierachie

To: Santosh Chokhani <chokhani@xxxxxxxxxxxx>
Subject: Re: Offline Root CA with valid CRL hierachie
From: Steve Hanna <steve.hanna@xxxxxxx>
Date: Tue, 07 Jan 2003 12:49:36 -0500
Cc: PKIX List <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

I don't think we disagree substantially. We discussed a few
different ways to provide timely revocation with an offline CA,
pointing out some of the pros and cons of each technique.
We may not agree on which technique is best, but ultimately
that's up to the CA operator.

-Steve

Santosh Chokhani wrote:
> 
> Steve:
> 
> The question is not of Root revocation, but of establishing trust in and
> checking the revocation status (if the trust is certificate based) of the
> OCSP Responder itself.
> 
> In the other comments, I do not see an area where you disagree with me.  If
> you do, please point that out to me.
> 
> -----Original Message-----
> From: Steve Hanna [mailto:steve.hanna@xxxxxxx]
> Sent: Friday, January 03, 2003 2:43 PM
> To: Santosh Chokhani
> Cc: ietf-pkix@xxxxxxx
> Subject: Re: Offline Root CA with valid CRL hierachie
> 
> Santosh Chokhani wrote:
> > I am thoroughly confused.  First, what I am proposing will work if the
> > RP is using indirect CRL.  I am making a modest assumption that an RP
> > that can process indirect CRL can also process full and complete CRL.
> 
> Right. The primary benefit of pre-issued CRLs over indirect CRLs or OCSP is
> that pre-issued CRLs work with any RP that can process CRLs (any RFC 3280
> compliant RP) whereas the others require support for features not required
> by RFC 3280.
> 
> > In terms of OCSP, if your solution is OCSP only, I still think the
> > approach I suggest will be a good way to supply the revocation
> > information to the OCSP responders, specially if there are many of
> > them or if you want to the convenience of distributing the revocation
> > information over untrusted networks.
> 
> I don't know much about how people generally supply
> revocation information to OCSP responders. Certainly,
> I expect that your system would work fine. But I expect
> that many OCSP responders would support indirect CRLs,
> so that might also be a solution. And some people might
> just use SSH. I don't know.
> 
> > How the OCSP Responder for off-line root revocation should be
> > architected is a separate topic with its own nuances.
> 
> I didn't think we were discussing how to revoke a root.
> As you say, that's a separate topic. Let's leave it aside
> for now, unless there's some pressing need to address it.
> 
> -Steve

References:
- RE: Offline Root CA with valid CRL hierachie
  - From: Santosh Chokhani

Prev by Date: Re: OCSP and LDAP
Next by Date: Onus on Registration
Previous by thread: RE: Offline Root CA with valid CRL hierachie
Next by thread: RE: Offline Root CA with valid CRL hierachie
Index(es):
- Date
- Thread