[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: apologies and comments on SCVP

To: <tgindin@xxxxxxxxxx>, "'Alan Lloyd'" <Alan.Lloyd@xxxxxxxxxxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: RE: apologies and comments on SCVP
From: "Ambarish Malpani" <ambarish@xxxxxxxxxxxx>
Date: Thu, 26 Aug 1999 20:36:45 -0700
Importance: Normal
In-reply-to: <852567D9.005321A3.00@D51MTA05.pok.ibm.com>

Hi Tom,
    Fair question. I think I have tried to answer it before, let
me try again.

There are 2 application classes for SCVP:
1. ClientType1
2. ClientType2

(I have purposely chosen *not* to try and use more descriptive
names for the clients, to avoid digressive discussions).

ClientType1 basically wants to be able to use public key
cryptography (and the PKIX infrastructure), without needing to
understand all of PKIX part1, OCSP, LDAP etc. It is outsourcing
the task of checking cert status, cert expiry, policy management
etc to the SCVP server. The main question ClientType1 is asking
is: "Hey, I got this cert, can I use it for application X?".
The minimal response the server needs to provide is a signed
yes/no. If you throw away all the extra stuff, you essentially
have the client sending in a cert and getting back a yes/no
answer.

ClientType2, is basically getting the server to build all the
chains, get validation responses etc., but checks all the
responses itself - it isn't trusting the work done by the
server, but using it mainly as somebody to offload the work to,
which it then verifies.

My main push is for serving the needs of ClientType1, just
because I believe it opens up PKI to a lot more applications.

Now to get to your main question about what is the difference
between the OCSP and SCVP.

In OCSP, all you are getting is the status of a certificate.
The client *must* build the chain - because it needs to tell
the responder which CA it is talking about. So, OCSP requires
the client to do the chain building, cert date/signature checking,
policy checking etc. The main thing the responder is doing,
is telling you the status of the certificate.

Does this help clarify the differences?

Regards,
Ambarish

---------------------------------------------------------------------
Ambarish Malpani
Architect                                                650.567.5457
ValiCert, Inc.                                  ambarish@valicert.com
1215 Terra Bella Ave.                         http://www.valicert.com
Mountain View, CA 94043-1833


> -----Original Message-----
> From: tgindin@us.ibm.com [mailto:tgindin@us.ibm.com]
> Sent: Thursday, August 26, 1999 8:07 AM
> To: Alan Lloyd; ambarish@valicert.com
> Subject: Re: apologies and comments on SCVP
> 
> 
>      Alan,
> 
>      I frequently feel that you are too strongly committed to 
> the idea that DAP
> is superior to LDAP.  I would agree that at this point, 
> LDAP's main advantage is
> not that it's lighter weight as a protocol but that it runs over a
> lighter-weight and more widely distributed protocol stack - 
> maybe we should call
> it TDAP for TCP/IP DAP, and also that a TDSP would help 
> matters greatly (and I
> don't mean one with OSI layers 5 and 6 intact running over 
> port 102 either).
>      However, I do think you have a strong point here.  What 
> are the functional
> and trust differences between OCSP and SCVP, and what will keep SCVP
> significantly lighter-weight than OCSP once the requirements 
> types start in on
> it?  Ambarish, could you explain this to us or to the group 
> as a whole?  If
> there are no good answers to this, why should we have a clone 
> of OCSP when there
> is no networking technology advantage such as LDAP has over 
> DAP to carry the new
> one to success?
> 
>           Tom Gindin
> 
>

Prev by Date: Re: Multi-national company listing issues
Next by Date: RE: apologies and comments on SCVP
Previous by thread: apologies and comments on SCVP
Next by thread: RE: apologies and comments on SCVP
Index(es):
- Date
- Thread