More on - RE: Major comments on OCSP (and LDAP Sec

[Alan Lloyd <Alan.Lloyd@xxxxxxxxxxxxxxxxxxxx>]

snip

".

> Be sure to note the fourth word in the first sentence:  an OCSP
responder
> *may* have this coupling to a CA.  It also may not.  There is nothing
in the
> OCSP protocol to guarantee timely revocation status.  Period.  It is
> perfectly legitimate for an OCSP responder to be working *only* from
> published CRLs (in fact, people on this list recently have stated that
> allowing this is an important requirement of this protocol), in which
case
> the OCSP response is no more timely than the CRL itself.

Well Said - I have yet to read in any spec that the protocol invented in
the spec is faster because of "-----" - or how that is achieved in the
real world. All one sees in the qualification of a new protocol is some
isms that say the old one is bad and therefore the new is good and its
usually  applies the words to the bad that it is big, slow, wet, dry,
does not cure world poverty, etc


And this statement is ?????

The statement made by Graham is still correct - it is quite possible
for an OCSP responder to give you up to date information if it
works off the CA's database.


The bad thing about "database" mechanisms is they dont scale to global
domains - however, to scale up databases and apply object oriented
engineering and global name forms ... Oh we have a directory system just
like X.500 - Perhaps we can use X.500 as the CA database and as its
distributed and globally named - it will scale and provide the
information we need.

just thoughts alan