[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] OCSP v CRLs over HTTP

To: Marc Branchaud <marcnarc@xxxxxxxxx>
Subject: Re: [IETF-PKIX] OCSP v CRLs over HTTP
From: mmyers@xxxxxxxxxxxx
Date: Tue, 09 Dec 1997 23:18:52 -0700
Cc: IETF-PKIX@xxxxxxxxxxxxxxxx

Marc,

My interpretation of your requirement implies the CA operate in a fashion
that enables the "false revocation" attack Carlisle earlier identified.  I
may be misunderstanding your requiremment however.  May I ask that you
express it more precisely?

Mike





At 11:07 AM 12/8/97 -0800, Marc Branchaud wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>
>On Fri, 5 Dec 1997 mmyers@verisign.com wrote:
>> 
>> >OCSP allows the relier to get the revocation information when it's needed,
>> >without being subject to the CA's CRL schedule.  Because CRLs can only be
>> >released periodically, they are at best a compromise solution to the needs
>> >of relying parties.
>> 
>> Keep in mind there's still a periodicity effect in the event of caching.
>> Section 2.3 of the current draft sets out the requirements.
>> 
>
>Agreed.  One of my main points, though, is that relying parties need to be
>able to override any caches (& their effects) at their discretion, not the
>CA's or anyone else's.
>
>> 
>> Again, I completely agree.  However, we must be cautious about overly
>> constraining implementors.  We can and should standardize what's
>> standarizable.
>> 
>
>Perhaps, but is it really overconstraining to make implementors create
>something that works?  To make an analogy, there are some unavoidable
>constraints to building an airplane -- don't make the wings cylinders,
>don't make the engines face each other, etc.  Airplane implementors are
>constrained to create planes that fly.  Similarly, we should constrain PKI
>implementors to make programs that work.  If we are aware of any flaws in
>the standards we create, we should at the very least describe them in the
>documents themselves.  I would prefer not standardizing a flawed system at
>all, but if there's a huge need to push forward then so be it.
>
>		Marc
>
>+------------------------------------------------------------------------+
> Marc Branchaud                                       \/
> Chief PKI Architect                                  /\CERT SOFTWARE INC.
> marcnarc@xcert.com        PKI References page:              www.xcert.com
> 604-640-6227          www.xcert.com/~marcnarc/PKI/
>+------------------------------------------------------------------------+
>  PGP key fingerprint:  60 11 4B 9D 4E E5 2F 47  BD C5 C2 BF 26 DF 5A E1
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.2
>
>iQB1AwUBNIxFfVrdFXNdDxPlAQHe3wL/RvQhevLG2bOkecStFrliLEXdHOacp3E6
>0UDNyiX/6RKlW0wZcc7PYL57C3RkUIDo4zSyxsYUlStjpyZn425XNTox91TN0nVO
>e1hOIsi8beC5Srlv7xNqCuD0/p3QzUAY
>=1BkI
>-----END PGP SIGNATURE-----
>
>
>

Follow-Ups:
- Re: [IETF-PKIX] OCSP v CRLs over HTTP
  - From: Marc Branchaud

Prev by Date: PKIX/ECDSA - Duplicate OIDs
Next by Date: Re: Critical extensions and Policy OIDs
Previous by thread: Re: [IETF-PKIX] OCSP v CRLs over HTTP
Next by thread: Re: [IETF-PKIX] OCSP v CRLs over HTTP
Index(es):
- Date
- Thread