RE: I-D ACTION:draft-deacon-xkms-aia-00.txt [SCVP-AIA]

[Stephen Kent <kent@xxxxxxx>]

At 9:53 -0700 8/29/03, Trevor Freeman wrote:
> Steve,
> I don't see why the use of AIA is inappropriate for SCVP. It's just a
> hint like a lot of other things in certificates such as SKID. If the
> client has configured SCVP server it uses, it is free to ignore the
> information provided by the AIA, just as client with a locally
> configured OCSP server can ignore the OSCP pointer in the AIA extension
> today.
> Trevor
Trevor,

In part the question is what one views as the primary model for use 
of SCVP, and whether putting an SCBP pointer into a cert represents a 
significant opportunity for a new configuration management 
vulnerability, i.e., failure to populate a local SCVP pointer would 
allow the AIA value to be used instead.

Another matter is that SCVP (in its DPV role) is also designed for 
environments where the client is not presumed to be capable of 
processing certs. In that context, it does not seem to be useful to 
put in a pointer to a server, since the client would not be likely to 
be able to extract and make use of the pointer.

I have reread RFC 3379, the DPD/DPV requirements doc, and I see no 
references that would lead me to believe that a CA would be 
appropriate as a server for all RPs that might deal with certs issued 
by the CA.

What if several certs in a path each contained an SCVP server pointer 
in an AIA extension? While this would make sense for OCSP, it is not 
appropriate for SCVP.

Steve