[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WG Last call, redux

To: ietf-pkix@xxxxxxx
Subject: Re: WG Last call, redux
From: Stephen Kent <kent@xxxxxxxxxxx>
Date: Fri, 23 Apr 1999 12:15:12 -0400
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxx

Several folks pointed out that I made the re-opening of last call into a
treasure hunt!  Sorry 'bout that.  I am away from the office and not easily
able to provide a diff, but I can describe the goal for the changes, which
resulted in both editorial and sunstantive modifications to the text.

The concern I raised with the OCSP authors was that it was not clear what
the hard and fast requirements were for CAs and clients with regard to
supporting three different ways that OCSP can be "enabled." I felt it
important to ensure that CAs and clients that claim comformance would
provide a set of confuguration controls that would allow interoperability,
if properly configured. So, the resvied text tries to make this perfectly
clear. The final form of the requirements, with some abstraction, is
sumarized below:

	- an OCSP-compliant CA SHALL be capable of issuing OCSP responses
that are signed ditrectly by the CA, and MUST be able to designate an OCSP
responder by issuing an appropriately marked certificate directly to the
responder.  the choice or direct vs. delegated OCSP responses is a local,
administrative option. the CA also SHALL be capable of putting the AIA
extension into certs when it is the intent that these certs will be checked
via OCSP, and MUST be capable of populating this extension with the OID
specifying OCSP access method and a URI for such access.  (This last part
was changed from a MAy to a MUST, which seems reasonable to ensure the goal
cited above.)

	- an OCSP-compliant client MUST be able to accept OCSP responses
via three different means: responses signed by the CA that issued the cert
in question, responses signed by a responder directly designated by that
CA, or via a locally designated responder.  It is a local administrative
choice as to which of these options if enabled. If local designation is
enabled, vendors have choices as to how fancy it gets, e.g., how many OCSP
responders are specified, how one knows which ones are authorized to
provide status for which sets of certs, etc.


Steve

Follow-Ups:
- OSCP BIG BANG
  - From: Denis Pinkas

References:
- WG Last call, redux
  - From: Stephen Kent
- Re: WG Last call, redux
  - From: Paul Hoffman / IMC

Prev by Date: RE: New CMC Draft available - Confirmation Message
Next by Date: Re: Delta CRL processing
Previous by thread: Re: WG Last call, redux
Next by thread: OSCP BIG BANG
Index(es):
- Date
- Thread