[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SCVP-01

To: "Salz, Rich" <SalzR@xxxxxxxxxx>, "'Ambarish Malpani'" <ambarish@xxxxxxxxxxxx>
Subject: RE: SCVP-01
From: Paul Hoffman / VPNC <paul.hoffman@xxxxxxxx>
Date: Mon, 30 Aug 1999 13:40:26 -0700
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>

At 04:15 PM 8/30/1999 -0400, Salz, Rich wrote:

Since this WG is based on the premise of using X509 certs, those VPN
vendors that will never use certs (as opposed to waiting until things get
"eaiser") are out of scope here.

Sorry for not being clearer in the previous message. All the vendors who don't use certs today *want to use certs*. There are no IPsec vendors that I know of that say "we never want to use certs". There are many who are saying "gee, um, we'll have that Real Soon Now".

But the OCSP protocol doesn't need certs.  It needs a DN and two key hashes.
Why not just define an OCSP critical extension that says "verify this cert,
and verify up the chain as well."  The footprint for a dedicated DER parser
that knew how to generate only those requests, and parse only well-formed
replies, would be pretty small.

Why won't that work?

As I've said earlier on this list, the OCSP protocol would have to be rewritten to allow this. The semantics in the protocol were purposely restricted not to do this. However, it is more than just rewriting OCSP and having it recycle at Proposed Standard. SCVP has many features in the request and response that give much more granularity than what you propose, as well as other features such as passing back the information needed by a client to validate.

If it's desired, we could eliminate some features from SCVP to make it simpler, possibly simple enough to fit inside an OCSP extension.

--Paul Hoffman, Director
--VPN Consortium

References:
- RE: SCVP-01
  - From: Salz, Rich

Prev by Date: RE: SCVP-01
Next by Date: Re: Multi-national company listing issues
Previous by thread: RE: SCVP-01
Next by thread: RE: SCVP-01
Index(es):
- Date
- Thread