[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Major comments on OCSP (and LDAP Sec

To: "'Phillip M Hallam-Baker'" <pbaker@xxxxxxxxxxxx>, Alan Lloyd <Alan.Lloyd@xxxxxxxxxxxxxxxxxxxx>, "'Graham Bland'" <gbland@xxxxxxxxx>
Subject: RE: Major comments on OCSP (and LDAP Sec
From: Alan Lloyd <Alan.Lloyd@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 21 Aug 1998 08:47:14 +1000
Cc: ietf-pkix@xxxxxxx
Sender: owner-ietf-pkix@xxxxxxx

Thanks phill.

The point is that a CA without a direcory system seems to need yet more
servers (OCSP) and more protocols in the client..
The result is that this system has incompatable client software and has
yet another set of scaling and database integration problems. ie. the
lack of the right resource (a directory) being available, demands the
need for another resource (OCSP servers) which in turn creates
undesirable (IMHO) problems - fat complex, non standard, non compatable
client software, more protocols and server process interaction, non
standard CA processes and DIT/database designs. - More purchase and
operational costs to the customer and follow on scaleability issues and
supplier  lock in.

OCSP as said is a solution in the wrong place to a problem that can be
cured in the right place. However, OCSP adds more problems - ie, now
there is a QOS/priority problem with it..

I still cannot see from the OCSP spec how it deals with certficates that
I might receive from anywhere in the world - The EC directory system -
just like the way in which a directory system supports the global
telephone system - is needed for CAs and organisations to do real
distributed EC.

I am doing a bit of work at the moment  on directory enabled certificate
status/CRL process issues and will release a paper in a day or so.

regards alan

PS if you are herded into a 747 like cattle...  - then fly QANTAS
instead  - I do - they are the best!

> -----Original Message-----
> From:	Phillip M Hallam-Baker [SMTP:pbaker@verisign.com]
> Sent:	Friday, 21 August 1998 0:47
> To:	Alan Lloyd; 'Graham Bland'
> Cc:	ietf-pkix@imc.org
> Subject:	RE: Major comments on OCSP (and LDAP Sec
> 
> I am quite mystified by all this talk of going on holiday with
> bicycles powered by 747 engines. Is X.500 the 747 engine or the 
> bicycle?
> 
> Last time I flew in a 747 the engines were made by Rolls Royce,
> and moreover airplane engines are like car engines. You can buy
> the same chasis with more than one engine and the same engine
> is sold in more than one chasis.
> 
> You chose your engine with respect to your needs.
> 
> Similarly when I went on holiday this summer I chose to drive
> my car 2,500 miles rather than be herded into a 747 like cattle.
> 
> 
> If the transport analogy was valid and the assertion that X.500
> was the only solution was true we would all be using public 
> transport.
> 
> 		Phill
> 
> 
>

Prev by Date: Defining Non-Repudiation
Next by Date: RE: Finding paths, Was:Re: Domains of Trust for PKIX
Previous by thread: RE: Major comments on OCSP (and LDAP Sec
Next by thread: RE: Major comments on OCSP (and LDAP Sec
Index(es):
- Date
- Thread