[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Last Call & idea for OCSP
> (draft-ietf-pkix-ipki2opp-03.txt) is now under consideration and I've seen
> no substantial comments on it. The FTP and HTTP portion,
> (draft-ietf-pkix-opp-ftp-http-00.txt), is also posted, and the only
> comments I've seen there are relatively minor ones re choice of MIME
> context types. I'd like to move forward on this one as well.
And the OCSP protocol?
This may be an idea for that protocol, so the CA doesn't have
to sign each answer separately (which takes quite some time):
- The CA divides its certs in groups of say 100 or 500
- When an OCSP_query for a cert C comes in:
* If the cert is not valid (revoked, expired, ...)
the CA replies with an ordinary OCSP-response.
* If the cert is valid, the CA makes a list of
all valid certs that are in the same group as cert C.
The CA then signs this list together with the current
time and sends it to the requestor. That one must look
for his cert C in the list to assure C is valid.
If another OSCP-query for a valid cert in the same group
as C comes in, within say a minute, the CA can simply
send the same message as for cert C without having to
sign anything.
(This ressembles a bit the CRL functionality but CRL's
may be much larger then this here.)
(It's all based on Micalli's paper on the previous
RSA conference.)
Don't know if it's no old news or not realistic ...
Stef
-------------------------------------------------------------------------
stefan.hoeben@esat.kuleuven.ac.be | All wiyht.
Katholieke Universiteit Leuven | Rho sritched
Dept. Electrical Engineering-ESAT / COSIC | mg kegtops
K. Mercierlaan 94, B-3001 Heverlee, BELGIUM | awound?
tel. +32 16 32 10 73 fax. +32 16 32 19 86 |
-------------------------------------------------------------------------