[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] OCSP v CRLs over HTTP

To: IETF-PKIX@xxxxxxxxxxxxxxxx
Subject: Re: [IETF-PKIX] OCSP v CRLs over HTTP
From: Carlisle Adams <carlisle.adams@xxxxxxxxxxx>
Date: Tue, 2 Dec 1997 17:04:29 -0500
Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>

>----------
>From:  Russ Housley[SMTP:housley@SPYRUS.COM]
>Sent:  Tuesday, December 02, 1997 11:43 AM
>To:    IETF-PKIX@LISTS.TANDEM.COM
>Subject:       Re: [IETF-PKIX] OCSP v CRLs over HTTP
>
>the digital signature on the CRL returned by HTTP or FTP provides teh
>authentication.  How is comperable authentication provided in the
>alternative?

In a similar way:  OCSP responses are either signed by the CA or signed
by the OCSP responder.

The latter is used if responders are separately certified, although my
understanding is that Mike was thinking of dropping this possibility
because of the added complexity of checking the revocation status of the
OCSP responder's certificate (which boils down to a second OCSP request
(i.e., one to the OCSP responder and one to the CA) thereby doubling
network traffic without reducing CA bandwidth).


--------------------------------------------
Carlisle Adams
Entrust Technologies
cadams@entrust.com
--------------------------------------------

Prev by Date: Re: [IETF-PKIX] Question about SubjectAltNames
Next by Date: Re: [IETF-PKIX] digitalSignature vs. nonRepudiation
Previous by thread: Re: [IETF-PKIX] OCSP v CRLs over HTTP
Next by thread: Re: [IETF-PKIX] OCSP v CRLs over HTTP
Index(es):
- Date
- Thread