Re: [IETF-PKIX] OCSP v CRLs over HTTP

[mmyers@xxxxxxxxxxxx]

At 03:52 PM 12/5/97 -0500, David P. Kemp wrote:
>> On Fri, 5 Dec 1997, Phillip M Hallam-Baker wrote:
>> > 
>> > OCSP supports a function call end clients make routinely: 'Is this
>> > certificate valid'.
>
>I thought we had already established that this was NOT the goal of
>OCSP.  OCSP was presented as merely answering the question "Has this
>certificate been revoked?", the example given being the need to cut off
>people who demonstrate the danger of relying on MS Authenticode as an
>applet privilege management mechanism.  (Silencing the messengers,
>rather than fixing the problem, as it were.)

Dave,

Our prior discussions suffer from bandwidth starvation.  It is true that if
one were to quickly summarize OCSP, one can say it answers the question you
pose.  I've said or wrote the same thing several times in efforts to focus
and clarify discussions.  However, there are a few things to keep in mind
with regard to the development of a consensus on what OCSP is and should be:

1. From August until about the middle of November there were a total of
about five public comments on the original Part 2 text.

2. That text identified certificate validation and expiration responses in
addition to certificate revocation responses.

3. In the last three weeks there's been a tremendous surge in list traffic
regarding OCSP, on the order of 80 or so messages.

4. So I would think it's fair to say that we had established, even in the
-01 draft that recently emerged this past Friday, may fail to fully
accomodate the growing body of consensus on OCSP.  I would expect our work
next week to take us much closer towards an acceptable draft.

Mike