[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OCSP - Wait A Minute!

To: Anders Rundgren <anders.rundgren@xxxxxxxxx>, ietf-pkix@xxxxxxx
Subject: Re: OCSP - Wait A Minute!
From: Dan Weinstein <danw@xxxxxxxxxxxx>
Date: Sun, 16 Aug 1998 16:34:07 -0700
References: <>
Sender: owner-ietf-pkix@xxxxxxx

Anders Rundgren wrote:
> 
> Hi Dan,
> I don't see how Netscape or anybody else can do packaged product
> based on the OCSP-specification.

I am speaking as myself, NOT for Netscape.

> Will it be provided as a framework
> where the customer does the actual implementation?  Particularly
> the provider part seems pretty impossible to implement in a totally
> general way.  And that is probably the way it should be.

What, specifically, isn't implementable?  How do you reconcile your
assertion with the fact that a number of companies have been tracking
the draft with implementations?

> Anyway, I think you should put OCSP *on hold* to make it more universal.
> In particular the requirement to have issuers certificates requires every
> certificate user to also rely on other certificate service protocols or
> other unspecified methods for acquiring issuer certificates.
>
> OCSP could *easily* do it all!

If all you are after is additional capabilities for OCSP, both requests
and responses support extensions.  Extensions that prove that they are
interesting in real world implementations will be folded back into
version 2.  It seems foolish to me, to hold up version 1 for features
that have already been discussed and rejected once for this version of
the draft (which covers most of the changes I have heard suggested
recently).

> 
> Please take a look on
> 
> http://www.jaybis.com/specifications/pkix/ocsp.html

I took a look at this.  The best I can tell, you suggest 2 changes for
OCSP, required TLS/SSL and the ability for the server to perform
validation.  Requiring TLS/SSL is a bad idea.  One reason you suggest
this is to allow client auth, but that is not necessary because a signed
request buys you the same thing, with less overhead.  The other reason
that you suggest requiring TLS/SSL is for encryption of requests and
responses.  I can imagine quite a few uses for OCSP where encrypting the
sessions would just add overhead.  The option of using TLS/SSL is
already in the OCSP draft, requiring its use only adds what may be
unnecessary overhead.  As for the server being capable of certificate
validation, I think that is already well covered teritory.

Dan Weinstein
danjw1@hotmail.com

References:
- OCSP - Wait A Minute!
  - From: Anders Rundgren

Prev by Date: RE: ldapv2-schema and CA Certificates
Next by Date: RE: OCSP - Wait A Minute!
Previous by thread: OCSP - Wait A Minute!
Next by thread: RE: OCSP - Wait A Minute!
Index(es):
- Date
- Thread