[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last Call & idea for OCSP

To: Stef Hoeben <Stefan.Hoeben@xxxxxxxxxxxxxxxxxxx>
Subject: Re: Last Call & idea for OCSP
From: <mmyers@xxxxxxxxxxxx>
Date: Wed, 01 Oct 1997 16:10:28 -0600
Cc: ietf-pkix@xxxxxxxxxx

Stef--

Work on OCSP is proceeding.  A draft incorporating comments to date should
be available  for final review in about two weeks.

Regarding an incremental certificate validity list, a server could equally
well cache prior signed responses per certificate.  Sending back just that
response vs. a list of other valid certs that are potentially relevant
saves bandwidth.  One might also consider the use of the HTTP "Expires:"
header field to yield cacheing effects on the requestor's Web server.

--Mike


At 03:55 PM 10/1/97 +0200, you wrote:
>
>And the OCSP protocol?
>
>This may be an idea for that protocol, so the CA doesn't have
>to sign each answer separately (which takes quite some time):
>
>- The CA divides its certs in groups of say 100 or 500
>- When an OCSP_query for a cert C comes in:
>  * If the cert is not valid (revoked, expired, ...)
>    the CA replies with an ordinary OCSP-response.
>  * If the cert is valid, the CA makes a list of 
>    all valid certs that are in the same group as cert C.
>    The CA then signs this list together with the current
>    time and sends it to the requestor. That one must look
>    for his cert C in the list to assure C is valid.
>
>If another OSCP-query for a valid cert in the same group 
>as C comes in, within say a minute, the CA can simply
>send the same message as for cert C without having to
>sign anything.
>
>(This ressembles a bit the CRL functionality but CRL's
>may be much larger then this here.)
>
>(It's all based on Micalli's paper on the previous 
>RSA conference.)
>
>
>Don't know if it's no old news or not realistic ...
>
>Stef
>
>-------------------------------------------------------------------------
>stefan.hoeben@esat.kuleuven.ac.be            | All wiyht.
>Katholieke Universiteit Leuven               | Rho sritched
>Dept. Electrical Engineering-ESAT / COSIC    | mg kegtops
>K. Mercierlaan 94, B-3001 Heverlee, BELGIUM  | awound?
>tel. +32 16 32 10 73   fax. +32 16 32 19 86  |
>-------------------------------------------------------------------------
>
>
>

Prev by Date: last call spoof?
Next by Date: PKIX Cert and CRL profile bugs and queries
Previous by thread: last call spoof?
Next by thread: PKIX Cert and CRL profile bugs and queries
Index(es):
- Date
- Thread