[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] OCSP using SSL/https

To: IETF-PKIX@xxxxxxxxxxxxxxxx
Subject: Re: [IETF-PKIX] OCSP using SSL/https
From: Phillip M Hallam-Baker <pbaker@xxxxxxxxxxxx>
Date: Wed, 3 Dec 1997 11:55:12 -0500
Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>

>It seems that the main purpose of having signed responses in OCSP
>is to authenticate the responder.
>
>Would it be useful, and perhaps simplify things, to permit SSL/https
>to be used in the protocol instead of requiring signed responses over
>http?


Are we talking 'instead of' or 'optionally'?

The problem with using SSL is that the cache facility of HTTP
would be lost. Making the caching work really requires transaction
layer and not transport layer security.

I don't see a lot of value in pushing the public key work into
SSL except that it would avoid the need to sign each HTTP/1.1
reply in along sequence of requests. A more likely scenario
would be to want to use private key between two closely
coupled hosts.

Since we don't have a spec proposed for such a transport
I think that all we need at most doat this stage is put in some
wording to allow the possibility of relying on some other
proof of authenticity by prior agreement of both parties in
which case only the raw data need be sent.

            Phill

Prev by Date: Re: [IETF-PKIX] OCSP v CRLs over HTTP
Next by Date: Re: [IETF-PKIX] OCSP v CRLs over HTTP
Previous by thread: Re: [IETF-PKIX] OCSP using SSL/https
Next by thread: Re: [IETF-PKIX] OCSP using SSL/https
Index(es):
- Date
- Thread