[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [IETF-PKIX] OCSP v CRLs over HTTP
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 9 Dec 1997, Mike Smith wrote:
>
> In OCSP, is there an obligation on the responder to validate the whole
> chain of trust above (and across the network of trust in cross certs),
> or, is OCSP really JUST giving status on the particular cert in the
> status request?
>
> Michael
>
Well, the current proposal is concerned solely with the validity of a
single given cert, regardless of whatever context might surround it (such
as a chain it might form a part of).
However, there's a lot of utility in having a "smart" OCSP responder. For
example, a departmental OCSP responder can be tuned to reflect the trust
parameters of the organization (e.g. which cross-certifications are in
place, and for what purposes). If all departmental users pass all their
validations through their local OCSP responder, the organization can have
a lot of control over how its employees accpet certificates.
For example, time-of-day restrictions become simple, as the OCSP responder
can be set up to return a "valid" response only during business hours.
OCSP creates a lot of opportunities for flexible PKI policies. Whether or
not they're possible really depends on how the PKI is modelled.
Marc
+------------------------------------------------------------------------+
Marc Branchaud \/
Chief PKI Architect /\CERT SOFTWARE INC.
marcnarc@xcert.com PKI References page: www.xcert.com
604-640-6227 www.xcert.com/~marcnarc/PKI/
+------------------------------------------------------------------------+
PGP key fingerprint: 60 11 4B 9D 4E E5 2F 47 BD C5 C2 BF 26 DF 5A E1
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQB1AwUBNI2WQFrdFXNdDxPlAQGHlQMAsgpEChrhTdkReNfllq/VtT9kOvNPsrGx
JmHQxbsqLSfiM45SKUvkrLmgl/p7B9wgikw1UmdajFlxoeLvKljW4lNaCwS1mQdq
ROjbFSPzKCz1j6CtEysPCY1pYihjYe15
=6z2g
-----END PGP SIGNATURE-----