RE: Major comments on OCSP (and LDAP Sec

[Anders Rundgren <anders.rundgren@xxxxxxxxx>]

Alan,
>I still cannot see from the OCSP spec how it deals with certficates that
>I might receive from anywhere in the world - The EC directory system -
>just like the way in which a directory system supports the global
>telephone system - is needed for CAs and organisations to do real
>distributed EC.
A comparison with telephone systems is *very* appropriate.   You typically have a
subscription to *one* operator and line.  This line could be OCSP.  The OCSP-
server part does the messy part of transmitting the certificate status request to the proper
destination regardless of how its directory is arranged.  And it also does the billing in
your own currency and local method.  Or do you think most OCSP services will be for free?

A real-word OCSP-system is likely to support a limited set of "certificate domains".

The *backend-part* may indeed be X500-directories but is there really a need to
know that for *clients* that just want to check the status of a certificate? 

 I.e. OCSP is not only a YAP but could also (particularly with my issuer-certificate-cache
addition http://www.jaybis.com/specifications/pkix/ocsp.html ) be the *only* protocol
an ordinary client needs for accessing the "certificate store".  

For a lot of PKI's (like ID-cards) the certificates will not be public
anyway and in these cases OCSP makes even more sense.  

Anders