[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] OCSP v CRLs over HTTP

To: mmyers@xxxxxxxxxxxx
Subject: Re: [IETF-PKIX] OCSP v CRLs over HTTP
From: Marc Branchaud <marcnarc@xxxxxxxxx>
Date: Mon, 8 Dec 1997 11:07:40 -0800 (PST)
Cc: IETF-PKIX@xxxxxxxxxxxxxxxx
In-reply-to: <>

-----BEGIN PGP SIGNED MESSAGE-----

On Fri, 5 Dec 1997 mmyers@verisign.com wrote:
> 
> >OCSP allows the relier to get the revocation information when it's needed,
> >without being subject to the CA's CRL schedule.  Because CRLs can only be
> >released periodically, they are at best a compromise solution to the needs
> >of relying parties.
> 
> Keep in mind there's still a periodicity effect in the event of caching.
> Section 2.3 of the current draft sets out the requirements.
> 

Agreed.  One of my main points, though, is that relying parties need to be
able to override any caches (& their effects) at their discretion, not the
CA's or anyone else's.

> 
> Again, I completely agree.  However, we must be cautious about overly
> constraining implementors.  We can and should standardize what's
> standarizable.
> 

Perhaps, but is it really overconstraining to make implementors create
something that works?  To make an analogy, there are some unavoidable
constraints to building an airplane -- don't make the wings cylinders,
don't make the engines face each other, etc.  Airplane implementors are
constrained to create planes that fly.  Similarly, we should constrain PKI
implementors to make programs that work.  If we are aware of any flaws in
the standards we create, we should at the very least describe them in the
documents themselves.  I would prefer not standardizing a flawed system at
all, but if there's a huge need to push forward then so be it.

		Marc

+------------------------------------------------------------------------+
 Marc Branchaud                                       \/
 Chief PKI Architect                                  /\CERT SOFTWARE INC.
 marcnarc@xcert.com        PKI References page:              www.xcert.com
 604-640-6227          www.xcert.com/~marcnarc/PKI/
+------------------------------------------------------------------------+
  PGP key fingerprint:  60 11 4B 9D 4E E5 2F 47  BD C5 C2 BF 26 DF 5A E1

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQB1AwUBNIxFfVrdFXNdDxPlAQHe3wL/RvQhevLG2bOkecStFrliLEXdHOacp3E6
0UDNyiX/6RKlW0wZcc7PYL57C3RkUIDo4zSyxsYUlStjpyZn425XNTox91TN0nVO
e1hOIsi8beC5Srlv7xNqCuD0/p3QzUAY
=1BkI
-----END PGP SIGNATURE-----

References:
- Re: [IETF-PKIX] OCSP v CRLs over HTTP
  - From: mmyers

Prev by Date: CyberNotary
Next by Date: Re: OCSP v CRLs over HTTP
Previous by thread: Re: [IETF-PKIX] OCSP v CRLs over HTTP
Next by thread: Re: [IETF-PKIX] OCSP v CRLs over HTTP
Index(es):
- Date
- Thread