[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SCVP-01

To: Alan Lloyd <Alan.Lloyd@xxxxxxxxxxxxxxxxxxxx>, ietf-pkix@xxxxxxx
Subject: RE: SCVP-01
From: Paul Hoffman / VPNC <paul.hoffman@xxxxxxxx>
Date: Tue, 31 Aug 1999 09:29:08 -0700
In-reply-to: <>

At 05:21 PM 8/31/1999 +1000, Alan Lloyd wrote:

        snip
> Yes, we could put in a bunch of changes in OCSP to make it
> work, but you would end up changing the semantics of a large
> part of OCSP.
>
        its best to add a few features to a trusted transport that
serves a common operational function (cert status and validation) than
reinvent the whole box and dice again - re key management, protocol hddr
formats, routing references, etc, etc - and also introduce compatibility
and interoperability when both technologies are used in the same
operational system.

Yes, that's probably true. SCVP doesn't do any of that. This seems like a red herring.

        One only has to think of the customer and what they want...
simpler systems, less code changes, less protocols, less databases and
less configuration and more capability and trust  -  to see what the
logical answer is..

Yes, that's probably true. Do you think that adding the SCVP functionality to OCSP would not involve more complicated systems and more code changes? Of course, it is one more protocol, but if you're talking bits on the wire, the SVCP request and response are carried on the same protocols as OCSP. I don't know what you mean by more databases or more configuration. If you want to get the functionality of SCVP in OCSP, you'll need to have the same databases and configuration, and the same capability and trust.

Or are you saying that none of the SCVP features are desired by anyone?

        Why does OCSP and LDAP have extensions... Its not so we can
ignore them and produce another YAP with optional extensions. that wont
be used...

Correct. OSCP extensions can be used to extend OCSP. What we are proposing does not fit into the semantics of OCSP. There are two possible solutions: extend the semantics of OCSP, or create a different protocol that does what you want without forcing a change in an existing protocol. SCVP uses the latter approach.

If you think it should use the former, I extend the same suggestion that I extended to Mike Myers: do the work of changing the OCSP spec to include the SCVP functionality and show it to the group. I sincerely think that you will not find it easy, and that OCSP developers will find it as hard (or even harder) to shoehorn in your changes to OCSP extension mechanism as they would to use the SCVP request and response format. I could be wrong about this, and would be happy to admit so if your draft looks easier than SCVP. But Ambarish and I really looked at this before we created our own format.

--Paul Hoffman, Director
--VPN Consortium

References:
- RE: SCVP-01
  - From: Alan Lloyd

Prev by Date: RE: Multi-national company listing issues
Next by Date: Re: Multi-national company listing issues
Previous by thread: RE: SCVP-01
Next by thread: RE: SCVP-01
Index(es):
- Date
- Thread