[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: FW: Attribute used to store cached certificate chains?

To: Andrew Probert <AndrewP@xxxxxxxxxxxx>
Subject: RE: FW: Attribute used to store cached certificate chains?
From: Stephen Kent <kent@xxxxxxx>
Date: Thu, 4 Feb 1999 12:56:37 -0500
Cc: "'Alan Lloyd'" <Alan.Lloyd@xxxxxxxxxxxxxxxxxxxx>, "'Bob Jueneman'" <BJUENEMAN@xxxxxxxxxx>, kent@xxxxxxx, WHenry@xxxxxxx, ietf-pkix@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

andrew,

>I think a re-statement and perhaps some may think oversimplification of the
>case is as follows: -
>
>CRLs are a batch method for publishing CRLs and we are agreed that an online
>realtime mechanism is required.
>A client navigating to a single OCSP server looks ok.
>When there are myriad of OCSP servers, the job becomes far more complex.
>A rationalisation of this is to have a single OCSP server that via backend
>protocols talks to other OCSP servers on the users behalf.

I can put the name of one OCSP server into a cert and have many instances
of that server available, for reliability.  We do this with web servers
quite well today, so this is not an unsolvable problem.  Also, having lots
of OCSP servers is not intrinsically a problem; the problem you cite seems
to arise only when a given cert might be checked by many independent
servers.  I've not seen compelling arguments suggesting why such an
arrangement is needed.

Steve

References:
- RE: FW: Attribute used to store cached certificate chains?
  - From: Andrew Probert

Prev by Date: RE: Finding PKIX Servers!
Next by Date: RE: Attribute used to store cached certificate chains?
Previous by thread: RE: FW: Attribute used to store cached certificate chains?
Next by thread: RE: Attribute used to store cached certificate chains?
Index(es):
- Date
- Thread