[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] OCSP using SSL/https

To: IETF-PKIX@xxxxxxxxxxxxxxxx
Subject: Re: [IETF-PKIX] OCSP using SSL/https
From: "Patrick C. Richard" <patr@xxxxxxxxx>
Date: Wed, 3 Dec 1997 23:16:08 -0800
References: <>
Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>

Dan Laska wrote:
>
> It seems that the main purpose of having signed responses in OCSP
> is to authenticate the responder.

I disagree. IMHO, the main purpose is to have a non-repudiable receipt
of status provision, that can be used to attest to an attempt to
reasonably check the status of a certificate.


>
> Would it be useful, and perhaps simplify things, to permit SSL/https
> to be used in the protocol instead of requiring signed responses over
> http?

This would not acheive the above.

>
> I am assuming here that the responder is tightly coupled to the CA.
> If the responder's site certificate is revoked then the responder
> itself would have to get disabled or updated by the CA.

This doesn't take into account multiple responder scenarios...

nor the instance where the OCSP provider has multiple certificates


>
> ==========================================
> Dan Laska
> Frontier Technologies Corp.
> Email: danl@frontiertech.com
> ==========================================

-Pat
--
Patrick C. Richard - patr@xcert.com
Public Key Available via LDAP

"All informational objects are candidates for PKI-based ACLs."
       - yhe

References:
- [IETF-PKIX] OCSP using SSL/https
  - From: Dan Laska

Prev by Date: Re: [IETF-PKIX] OCSP using SSL/https
Next by Date: [IETF-PKIX] I-D ACTION:draft-ietf-pkix-ipki-ecdsa-00.txt
Previous by thread: [IETF-PKIX] OCSP using SSL/https
Next by thread: Re: [IETF-PKIX] OCSP using SSL/https
Index(es):
- Date
- Thread