[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: OCSP Service Locator and RFC2459's Authority InformationAccess

To: <ietf-pkix@xxxxxxx>, <MMyers@xxxxxxxxxxxx>
Subject: RE: OCSP Service Locator and RFC2459's Authority InformationAccess
From: "Bob Jueneman" <BJUENEMAN@xxxxxxxxxx>
Date: Thu, 04 Mar 1999 09:43:08 -0700
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxx

Michael,

I understand that AIA is multiply-valued, so I can put in multiple URLs.

The question, as is the case all too often, is what are the SEMANTICS of those various URLs?

So I put in one LDAP, one DAP, and one HTTP, or maybe just three LDAPs.

Is OCSP going to assume that each and every one of those URLs point to an OCSP server, and maybe it should make a random choice?  What if one refers to the originator's directory that contains his certificate, one refers to the CA's directory which can be used to look up certificates by Issuer name and serial and NOT by DN, and one points to a directory of CRLs and/or OCSP providers that do NOT maintain a list of certificate or other potentially useful information?

I believe that my original thought was correct -- that OCSP thinks it has exclusive ownership of the AIA attribute?

Bob

>>> Michael Myers <MMyers@verisign.com> 03/04/99 08:57AM >>>
Bob,

AIA is multiply-valued, so you can put in other info:

AuthorityInfoAccessSyntax  ::=
        SEQUENCE SIZE (1..MAX) OF AccessDescription

AccessDescription  ::=  SEQUENCE {
        accessMethod          OBJECT IDENTIFIER,
        accessLocation        GeneralName  }

The OCSP OID would simply identify the URI used for that particular method.

Mike

> -----Original Message-----
> From: Bob Jueneman [mailto:BJUENEMAN@novell.com] 
> Sent: Wednesday, March 03, 1999 5:43 PM
> To: ietf-pkix@imc.org; MMyers@verisign.com 
> Subject: RE: OCSP Service Locator and RFC2459's Authority Information
> Access
> 
> 
> Michael, is the AIA in that case presumed to apply uniquely 
> to the OCSP provider -- i.e., has OCSP highjacked that field?
> 
> Or can other uses be provided as well, using multiple URIs or 
> whatever?
> 
> Bob
> 
> >>> Michael Myers <MMyers@verisign.com> 03/03/99 05:00PM >>>
> 
> > -----Original Message-----
> > From: salzr@certco.com [mailto:salzr@certco.com] 
> > 
> > This brings up a new question: why is there no OCSP AIA 
> > AccessDescription
> > defined?  :) All we need is an OID and a URIName of type 
> > IA5STRING.  Is it
> > too late to add this to the current draft?  Does it belong 
> > here, or does it
> > more like a cert profile item?  Because of its "dual 
> nature" should it
> > perhaps
> > be written up separately, anyway? (Probably not, since the 
> > OID base will end
> > up
> 
> 
> Rick,
> 
> It's already in there:
> 
> "4.1  Certificate Content
> 
>    In order to convey to OCSP clients a well-known point of 
> information
>    access, CAs SHALL provide the capability to include the
>    AuthorityInfoAccess extension (defined in [PKIX1], section 4.2.2.1)
>    in certificates that can be checked using OCSP.  Alternatively, the
>    accessLocation for the OCSP provider may be configured 
> locally at the
>    OCSP client.
> 
>    CAs that support an OCSP service, either hosted locally or provided
>    by an Authorized Responder, MAY provide a value for a
>    uniformResourceIndicator (URI) accessLocation and the OID value id-
>    ad-ocsp for the accessMethod in the AccessDescription SEQUENCE.
> 
>    The value of the accessLocation field in the subject certificate
>    defines the transport (e.g. HTTP) used to access the OCSP responder
>    and may contain other transport dependent information 
> (e.g. a URL)."
> 
> 
> Mike
>

Prev by Date: RE: Cert binding to ?
Next by Date: Re: Qualified Certificates draft - Country name
Previous by thread: RE: OCSP Service Locator and RFC2459's Authority InformationAccess
Next by thread: RE: OCSP Service Locator and RFC2459's Authority InformationAccess
Index(es):
- Date
- Thread