[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: fast review of draft-ietf-pkix-ocsp-06.txt
Michael,
I first suggest that you re-read my last proposal from Friday which
does not contradicts your rational but contradicts your conclusion.
> All,
>
> The intent was to provide an alternative to CRLs. Following that model,
> there's an underlying assumption that the end-entity is in possession of
> the CA's certificate (as would be needed to validate the signature on a CRL.)
Yes, the underlying assumption that the end-entity has to get the
CA's public key or certificate. But, we should not make any
assumption whether that information must be obtained BEFORE or
AFTER the OCSP request.
> OCSP never had a requirement to validate an end-entity certificate in the
> absence of the CA certificate at the requestor end. It's not just a
> requirement on syntax at the request. This would also imply path
> validation logic on the server. The consensus has been conclusively
> established that full certificate validation is beyond the scope of this
> protocol.
I strongly agree with your last sentence.
> There's consequently no need to alter the request syntax.
I respectfully disagree with your conclusion.
Denis
> Mike
--
Denis Pinkas Bull S.A. mailto:Denis.Pinkas@bull.net
Rue Jean Jaures B.P. 68 Phone : 33 - 1 30 80 34 87
78340 Les Clayes sous Bois. FRANCE Fax : 33 - 1 30 80 33 21