RE: Unsigned DPD responses for SCVP15

["Michael Myers" <mmyers@xxxxxxxxx>]

Trevor,

I prefer the client-side flag option, with absence of the flag
defaulting to no signatures on SCVP responses containing ONLY
{path, rev-info}.

Mike


-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx
[mailto:owner-ietf-pkix@xxxxxxxxxxxx]On Behalf Of Trevor Freeman
Sent: Monday, July 12, 2004 5:10 PM
To: ietf-pkix@xxxxxxx
Subject: Unsigned DPD responses for SCVP15


I have been asked to add unsigned responses for DPD clients to
SCVP15. There are two models proposed on how we accomplish that
both of which meet the requirements for 3379. I would therefore
like some feedback on how the group views the two mechanisms

Global Server Policy that it is DPD only
The first proposal is to make the option controlled by the
server as a global policy. Therefore the server would publish
via policy that is only supports DPD as such never signs a
response. DPV client and DPD clients wanting a signed response
then know to use another server.

SCVP Request option to not sign response
The second option is to leave it to the client to signal to the
server it does not need a signature on the response by a new
flag in the request (or its twin the flag indicates it does want
a signature on the response). This allows clients to be
benevolent towards the server by asking it to skip the
signature. Server can still at their discretion still sign.

Needless to say it is possible to hybridize the two but I am
hopeful we can try and keep this as simple as possible be
picking on of the two.
Trevor