[IETF-PKIX] OCSP draft 2

[Lynn.Wheeler@xxxxxxxxxxxxx]

another area that i'm really interested in is the possibility of extending
ocsp into online digital signature status ... (in contrast to
online certificate status). This relates to account authority
digital signature model ... where the relying party on the digital
signature isn't the account authority ... but still needs indication
regarding the validity of the digital signature.

in aads, certificates were removed from financial transactions ... in part
to provide end-to-end digital signature integrity for financial
transactions that had to transit legacy financial networks.  It turned
out that the removal of certificates from the operation also eliminated
systemic risks to the financial infrastructure (that are associated
with common CA infrastructures).

The embodiment of aads is in ANSI X9.59 electronic retail payment
protocol ... which has also been presented as electronic payment
convergenece (also has an acronym GUPI ... grand unified payment
initiative) ... and is targeted for international ISO fast-tracking.

The opportunity in AADS is to leverage a likely robust and pervasive
digital signature infrastructure for operations other than end-to-end,
high integrity financial transactions.

The no-brainer is for an AADS to also issue certificates. However,
the certificates and the account authority financial transactions then
operate at almost the opposite ends of the high-integrity spectrum.
The opportunity is to then to provide higher-integrity PKI that
is closer to the financial transaction end of the spectrum ... but
doesn't happen to be real financial transactions.