[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] OCSP v CRLs over HTTP

To: IETF-PKIX@xxxxxxxxxxxxxxxx
Subject: Re: [IETF-PKIX] OCSP v CRLs over HTTP
From: Mike Smith <mfsmith@xxxxxxxxxxxxx>
Date: Wed, 3 Dec 1997 10:10:43 -0700
Comments: To: tim.moses@ENTRUST.COM
Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>

In the case where a central repository services multiple CA's for OCSP, then that repository should sign (timestamp?) the response.  I'm not sure whether this will be a "tightly couple" relationship as some have suggested.  The CRL's used by the repository should, of course be signed by the original issuing CA.  The repository may even archive all of these CRL's issued and their signatures.


Michael
>>> Tim Moses <tim.moses@ENTRUST.COM> 12/03/97 09:03AM >>>
Russ - By "the alternative" I take you to mean OCSP.  The OCSP response
is signed by the CA's signature key.  This provides authentication of
the responder's identity.  Best regards.  Tim.

>----------
>From:  Russ Housley[SMTP:housley@SPYRUS.COM]
>Sent:  Tuesday, December 02, 1997 11:43 AM
>To:    IETF-PKIX@LISTS.TANDEM.COM
>Subject:       Re: [IETF-PKIX] OCSP v CRLs over HTTP
>
>Tim:
>
>the digital signature on the CRL returned by HTTP or FTP provides teh
>authentication.  How is comperable authentication provided in the
>alternative?
>
>Russ
>


--------------------------------------------------------------
Tim Moses, Entrust Technologies,
Tel: 613 247 3183,
email: tim.moses@entrust.com.

Prev by Date: Re: [IETF-PKIX] OCSP using SSL/https
Next by Date: Re: [IETF-PKIX] OCSP using SSL/https
Previous by thread: Re: [IETF-PKIX] OCSP v CRLs over HTTP
Next by thread: Re: [IETF-PKIX] OCSP v CRLs over HTTP
Index(es):
- Date
- Thread