[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SCVP-01

To: "'Paul Hoffman / VPNC'" <paul.hoffman@xxxxxxxx>, "'Ambarish Malpani'" <ambarish@xxxxxxxxxxxx>
Subject: RE: SCVP-01
From: "Salz, Rich" <SalzR@xxxxxxxxxx>
Date: Mon, 30 Aug 1999 16:15:42 -0400
Cc: ietf-pkix@xxxxxxx

Since this WG is based on the premise of using X509 certs, those VPN
vendors that will never use certs (as opposed to waiting until things get
"eaiser") are out of scope here.

But the OCSP protocol doesn't need certs.  It needs a DN and two key hashes.
Why not just define an OCSP critical extension that says "verify this cert,
and verify up the chain as well."  The footprint for a dedicated DER parser
that knew how to generate only those requests, and parse only well-formed
replies, would be pretty small.

Why won't that work?

Follow-Ups:
- RE: SCVP-01
  - From: Paul Hoffman / VPNC
- RE: SCVP-01
  - From: Ambarish Malpani

Prev by Date: RE: Multi-national company listing issues
Next by Date: RE: SCVP-01
Previous by thread: RE: SCVP-01
Next by thread: RE: SCVP-01
Index(es):
- Date
- Thread