[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: SCVP-01
Hi Rich,
The OCSP protocol needs a serial number and the hashes of
the issuer's DN and public key.
Anyway, to answer your bigger question: No, that wouldn't
work because OCSP does need you (the client) to form the chain
(since you need to include the hash of the CA's public
key with the request). If you can't create at least the
first link in the chain, you can't make the request.
If we took out the CA's public key from the request, you
open yourself up the the situation, where a client can't
uniquely identify the CA it is talking about (since 2 CA's
could have the same DN). Also, if the client doesn't have the
CA's public key, it can't verify the signature on the cert,
which leaves it open to a slew of other attacks.
Yes, we could put in a bunch of changes in OCSP to make it
work, but you would end up changing the semantics of a large
part of OCSP.
Hope this clarifies things.
Regards,
Ambarish
---------------------------------------------------------------------
Ambarish Malpani
Architect 650.567.5457
ValiCert, Inc. ambarish@valicert.com
1215 Terra Bella Ave. http://www.valicert.com
Mountain View, CA 94043-1833
> -----Original Message-----
> From: Salz, Rich [mailto:SalzR@CertCo.com]
> Sent: Monday, August 30, 1999 1:16 PM
> To: 'Paul Hoffman / VPNC'; 'Ambarish Malpani'
> Cc: ietf-pkix@imc.org
> Subject: RE: SCVP-01
>
>
> Since this WG is based on the premise of using X509 certs, those VPN
> vendors that will never use certs (as opposed to waiting
> until things get
> "eaiser") are out of scope here.
>
> But the OCSP protocol doesn't need certs. It needs a DN and
> two key hashes.
> Why not just define an OCSP critical extension that says
> "verify this cert,
> and verify up the chain as well." The footprint for a
> dedicated DER parser
> that knew how to generate only those requests, and parse only
> well-formed
> replies, would be pretty small.
>
> Why won't that work?
>