Re: [pkix] An alternative proposal Was: Fwd: New Version Notification for draft-hamilton-cmr-00.txt
Phillip Hallam-Baker <hallam@gmail.com> Wed, 02 November 2011 23:57 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4644911E80AB for <pkix@ietfa.amsl.com>; Wed, 2 Nov 2011 16:57:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.451
X-Spam-Level:
X-Spam-Status: No, score=-3.451 tagged_above=-999 required=5 tests=[AWL=0.147, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4t02Dle5bVPj for <pkix@ietfa.amsl.com>; Wed, 2 Nov 2011 16:57:44 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id 7F3D211E8073 for <pkix@ietf.org>; Wed, 2 Nov 2011 16:57:44 -0700 (PDT)
Received: by qadc10 with SMTP id c10so879194qad.31 for <pkix@ietf.org>; Wed, 02 Nov 2011 16:57:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5NHl0d4KnzELyqR14LGJrp/8swRJzes2pw2yL+jxyLc=; b=WPB1LPW5nRxKTcWQPzDViecdfnn6qExZ3SosmI7ihaW4NEDtIob7a4IFfyiQ+gLFH8 QTexThnnf9PSYs0NEvEeuJdt/2Ab4rx36Kdc955KYDaRmR0G4jiLxYUrWYLFVDQ6vX1e nwMgZClIjGuJSaIXH1YZg+96KDO0JVtEmuJ3c=
MIME-Version: 1.0
Received: by 10.182.74.41 with SMTP id q9mr1359313obv.28.1320278252096; Wed, 02 Nov 2011 16:57:32 -0700 (PDT)
Received: by 10.182.42.99 with HTTP; Wed, 2 Nov 2011 16:57:32 -0700 (PDT)
In-Reply-To: <CAD69C35.1EF7%tmiller@mitre.org>
References: <guhgomblrhy0lpcbljjezwJv4X.penango@mail.gmail.com> <CAD69C35.1EF7%tmiller@mitre.org>
Date: Wed, 02 Nov 2011 19:57:32 -0400
Message-ID: <CAMm+Lwi4eQkk8FdTNZr8fojNCK62GN_n8opOCbgQX6V3PZztLQ@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "Miller, Timothy J." <tmiller@mitre.org>
Content-Type: multipart/alternative; boundary="f46d044470e3388aab04b0c93c27"
Cc: "pkix@ietf.org" <pkix@ietf.org>
Subject: Re: [pkix] An alternative proposal Was: Fwd: New Version Notification for draft-hamilton-cmr-00.txt
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2011 23:57:45 -0000
No, the CRL is only authoritative for invalidity. Looks to me like you are going to have a problem when we fix this. That is your problem, not ours. We can fix it here or elsewhere but you have no veto on it being fixed. And the 'worlds biggest PKI' cost how much per cert? Not a model Io feel like following. On Wed, Nov 2, 2011 at 8:10 AM, Miller, Timothy J. <tmiller@mitre.org>wrote: > On 11/1/11 5:20 PM, "Kyle Hamilton" <kyanha@kyanha.net> wrote: > > >A responder without access to the CA database can answer REVOKED or > >UNKNOWN. > > Current OCSP clients treat UNKNOWN as a failure. UNKNOWN means the > responder cannot provide an answer; e.g., the responder doesn't have > current data, or the responder is not authorized to respond for that > issuer. > > Recall that the authoritative statement of validity is the CRL. CRLs do > not communicate cert existence. A responder seeded with a CRL has its > answer--the cert is good. > > If the OCSP query is for a non-existent serial number, the responder's > answer is irrelevant anyway because the cert will fail path validation. > So I really don't see why this is a concern to you. > > -- T > -- Website: http://hallambaker.com/
- [pkix] An alternative proposal Was: Fwd: New Vers… Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Walter.Goulet
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … denis.pinkas
- Re: [pkix] An alternative proposal Was: Fwd: New … Trevor Freeman
- Re: [pkix] An alternative proposal Was: Fwd: New … Walter.Goulet
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Paul Hoffman
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Walter.Goulet
- Re: [pkix] An alternative proposal Was: Fwd: New … Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … David A. Cooper
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … David A. Cooper
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Paul Hoffman
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Sylvester
- Re: [pkix] An alternative proposal Was: Fwd: New … Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] OCSP stapling Michael Myers
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Paul Hoffman
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Gutmann
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Stephen Wilson
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Gutmann
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Yoav Nir
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … Stephen Kent
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Gutmann
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Gutmann
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- [pkix] Proposed new singleExtension for OCSP denis.pinkas
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Peter Sylvester
- Re: [pkix] Proposed new singleExtension for OCSP Peter Sylvester
- Re: [pkix] An alternative proposal Was: Fwd: New … Kyle Hamilton
- Re: [pkix] An alternative proposal Was: Fwd: New … Phillip Hallam-Baker
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Stephen Kent
- Re: [pkix] Proposed new singleExtension for OCSP Rob Stradling
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Phillip Hallam-Baker
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Martin Rex
- Re: [pkix] Proposed new singleExtension for OCSP Tom Ritter
- Re: [pkix] Proposed new singleExtension for OCSP Kemp, David P.
- Re: [pkix] Proposed new singleExtension for OCSP denis.pinkas
- Re: [pkix] Proposed new singleExtension for OCSP Liaquat Khan
- Re: [pkix] Proposed new singleExtension for OCSP Paul Hoffman
- Re: [pkix] Proposed new singleExtension for OCSP Miller, Timothy J.
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] An alternative proposal Was: Fwd: New … Tom Gindin
- [pkix] Malaysian CA (Was: An alternative proposal… Yoav Nir
- Re: [pkix] Malaysian CA (Was: An alternative prop… Rob Stradling
- Re: [pkix] Malaysian CA (Was: An alternative prop… Tim Moses
- Re: [pkix] Proposed new singleExtension for OCSP Peter Sylvester
- Re: [pkix] An alternative proposal Was: Fwd: New … Stephen Kent
- Re: [pkix] An alternative proposal Was: Fwd: New … Miller, Timothy J.
- Re: [pkix] Proposed new singleExtension for OCSP Kemp, David P.
- Re: [pkix] An alternative proposal Was: Fwd: New … David A. Cooper
- Re: [pkix] Proposed new singleExtension for OCSP Peter Sylvester
- Re: [pkix] An alternative proposal Was: Fwd: New … Martin Rex
- Re: [pkix] Malaysian CA (Was: An alternative prop… Peter Gutmann
- [pkix] CRL Whitelist Requirements Was An alternat… Tom Gindin
- Re: [pkix] Malaysian CA (Was: An alternative prop… Yoav Nir
- Re: [pkix] Malaysian CA (Was: An alternative prop… Peter Gutmann
- Re: [pkix] Malaysian CA (Was: An alternative prop… Yoav Nir
- Re: [pkix] Malaysian CA (Was: An alternative prop… Tim Moses
- Re: [pkix] Malaysian CA (Was: An alternative prop… Peter Gutmann
- Re: [pkix] Malaysian CA (Was: An alternative prop… Tim Moses