[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Major comments on OCSP (and LDAP Sec

To: "Alan Lloyd" <Alan.Lloyd@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: Major comments on OCSP (and LDAP Sec
From: "Robert Klerer" <klerer@xxxxxxxxx>
Date: Fri, 21 Aug 1998 11:32:12 -0400
Cc: <ietf-pkix@xxxxxxx>
Sender: owner-ietf-pkix@xxxxxxx

Let me lend Alan a bit of support.

Working at the cusp of pkix and directories, I have a different view of
their role.  I am confident that an X.500 system can be operated at
equivalent level of operational integrity as OCSP.

An appropriate goal of a directory based revocation scheme would be to make
it seamlessly bound with its certificate distribution role.  The CA and DSA
should be paired.  The CA should delete certificates containing revoked
encryption keys from the directory (certificates for signing keys will have
to be retained somehow, re: other thread).  When a client goes to the
repository for a certificate, the repository will never knowing release a
revoked one.  So the client's risk of using a revoked certificate is solely
dependant on it's local cache.

Yes, this is not LDAP and directories today.  The message set has to be
protected from corruption in transit and the client must be able to have
mutual authentication of the CA's directory.  There are some operational and
policy issues that must apply to the directory in order to have confidence
in its integrity.

But given that several venders have built some quite nice tools based on a
standard that was well formed, it might me worth considering ...


-----Original Message-----
From: Alan Lloyd <Alan.Lloyd@OpenDirectory.com.au>
To: 'Anders Rundgren' <anders.rundgren@orbil.com>
Cc: 'Stefan Santesson' <stefan@accurata.se>; 'ietf-pkix@imc.org '
<ietf-pkix@imc.org>; 'Mike Myers' <mmyers@verisign.com>; 'Ambarish Malpani'
<ambarish@valicert.com>
Date: Friday, August 21, 1998 2:12 AM
Subject: RE: Major comments on OCSP (and LDAP Sec


>Anders, thanks for that,
>I think that the "global" directory systems wont happen bit is a view.
>But one must look at white pages for the telephone system - that
>happened out of need. Once we join voice and data services together we
>need a directory for that,  and once corporations start dealing with
>optimising their information infrastructures on distributed name based -
>object oriented - transaction systems - they will use directories. The
>ONLY standard on the planet for this is X.500.
>As a person who is involved with many large (and I mean large) scale
>directory systems across the planet, I have a different perspective on
>life than those working in other areas.
>
>The desire and the requirement to have a global directoy infrastucture
>for global EC is overwhelming from many vertical markets and
>organisations - as said, we have a high integrity, high performance, 3rd
>generation DSA with information integration tools, LDAP interfaces for
>servers and clients and its has been tested and accepted by such large
>corporates in many countries.
>We are getting busier and busier by the day - and those scaling issues
>as defined for OCSP (and LDAP servers) are just the sorts of issues that
>these clients are quite happy to avoid.
>
>We live in a world where IT system scale is totally related to a
>business capability and market share and revenue strategies.
>I do not and will not ever understand why this is never considered by
>those dealing with generic infrastructure standards. The LDAP
>development process is now adding mechanisms that do not scale and it
>still has no architectural model to base distributed authentication and
>access control on. It has a high operational cost and is unworkable in
>large distributed organisations.
>LDAP  should be deemed as a protocol that is getting more and more
>proprietary extensions thus minimising the core generic features and
>risking interoperability. OCSP IMHO is the same approach - a local
>solution to a local problem.
>
>
>regards alan
>
>> -----Original Message-----
>> From: Anders Rundgren [SMTP:anders.rundgren@orbil.com]
>> Sent: Friday, 14 August 1998 18:21
>> To: 'Alan Lloyd'
>> Cc: 'Stefan Santesson'; 'ietf-pkix@imc.org '; 'Mike Myers';
>> 'Ambarish Malpani'
>> Subject: RE: Major comments on OCSP (and LDAP Sec
>>
>> Hi Alan,
>> I basically agree to what you are saying on a technical basis.  Due to
>> lack
>> of conformance and goals of different organizations I don't believe
>> that
>> global X500 directories will ever happen except (maybe) for a few very
>> specific
>> 100% standardized certificates of commercial interest.
>>
>> My solution to this situation is an upgraded OCSP++ system:
>>
>> http://www.jaybis.com/specifications/pkix/ocsp.html
>>
>> This is IMO what could easily have been squeezed into V1.0.  Now I
>> suspect OCSP 1.0 will
>> be short-lived, not particularly interoperable (lots of things are
>> variable and suspect to interpretation), and offer too little.
>>
>> Anders Rundgren
>> Senior Internet E-commerce Architect
>

Prev by Date: Re: Authentication vs. binding signature, and ephemeral vs.permanent key usage
Next by Date: Re: Authentication vs. binding signature, and ephemeral vs.permanent key usage
Previous by thread: RE: Major comments on OCSP (and LDAP Sec
Next by thread: FW: <draft-ietf-pkix-ocdp-01.txt>
Index(es):
- Date
- Thread