Re: OCSPv2: 02: certHash is not unique
Denis Pinkas <Denis.Pinkas@bull.net> Thu, 29 March 2001 16:13 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id LAA21262 for <pkix-archive@odin.ietf.org>; Thu, 29 Mar 2001 11:13:55 -0500 (EST)
Received: from localhost (daemon@localhost) by above.proper.com (8.9.3/8.9.3) with SMTP id IAA11903; Thu, 29 Mar 2001 08:12:59 -0800 (PST)
Received: by mail.imc.org (bulk_mailer v1.12); Thu, 29 Mar 2001 08:12:43 -0800
Received: from odin2.bull.net (odin2.bull.net [192.90.70.84]) by above.proper.com (8.9.3/8.9.3) with ESMTP id IAA11851 for <ietf-pkix@imc.org>; Thu, 29 Mar 2001 08:12:41 -0800 (PST)
Received: from lvt-mail.frlv.bull.fr (lvt-mail.frlv.bull.fr [129.184.62.223]) by odin2.bull.net (8.9.3/8.9.3) with ESMTP id SAA12700; Thu, 29 Mar 2001 18:11:57 +0200
Received: from bull.net (frlva3786.frlv.bull.fr [129.184.37.97]) by lvt-mail.frlv.bull.fr (8.9.2/8.9.1) with ESMTP id SAA10854; Thu, 29 Mar 2001 18:12:08 +0200
Message-ID: <3AC35ED2.30301214@bull.net>
Date: Thu, 29 Mar 2001 18:12:02 +0200
From: Denis Pinkas <Denis.Pinkas@bull.net>
Organization: Bull
X-Mailer: Mozilla 4.7 [fr] (Win98; I)
X-Accept-Language: fr
MIME-Version: 1.0
To: Ambarish Malpani <ambarish@valicert.com>
CC: ietf-pkix@imc.org
Subject: Re: OCSPv2: 02: certHash is not unique
References: <613B3C619C9AD4118C4E00B0D03E7C3E014C8BA6@exchange.valicert.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe
Content-Transfer-Encoding: 7bit
Ambarish, I second your position. Denis > Mike, > As I have said a few times before, I strongly oppose the > idea of using certHash as a method of identifying the certificate > whose status you want to check. It forces the responder to have > access to information that is not normally available to most > responders - even those run by most CAs (AFAIK). > > I don't know that we are saving all that many bytes by using > certHash as opposed to certID. > > It just doesn't make sense to me that we provide 5-6 different > ways of identifying a certificate in OCSP - I think it will > lead to a lot more interop problems, without buying us any > additional functionality. > > Regards, > Ambarish > > --------------------------------------------------------------------- > Ambarish Malpani > Architect 650.567.5457 > ValiCert, Inc. ambarish@valicert.com > 339 N. Bernardo Ave. http://www.valicert.com > Mountain View, CA 94043 > > > -----Original Message----- > > From: Michael Myers [mailto:myers@coastside.net] > > Sent: Wednesday, March 28, 2001 5:59 PM > > To: pgut001@cs.auckland.ac.nz; ccovey@cylink.com; ietf-pkix@imc.org > > Subject: RE: OCSPv2: 02: certHash is not unique > > > > > > Peter, > > > > After some correspondence, I've come to the same conclusion > > despite my prior > > proposal to Jim. The high-level intent of the presence of an > > option to > > hash/fingerprint the cert was to enable alignment to known > > practices, not > > produce yet another variant. > > > > Mike > > > > > -----Original Message----- > > > From: pgut001@cs.auckland.ac.nz [mailto:pgut001@cs.auckland.ac.nz] > > > Sent: Thursday, March 29, 2001 9:47 AM > > > To: ccovey@cylink.com; ietf-pkix@imc.org > > > Subject: Re: OCSPv2: 02: certHash is not unique > > > > > > > > > "Carlin Covey" <ccovey@cylink.com> writes: > > > > > > >I am quite content with the suggestion that Jim made concerning > > > computing the > > > >certHash over only the signed portions of the certificate. > > > > > > I'm not. I already have to create, track, store, and process a > > > whole pile of > > > certificate identifiers, and adding yet another wierdo > > identifier which is > > > compatible with nothing else in existence to that pile when > > > there's no need for > > > it to be incompatible is something which I can really do without. > > > The SHA-1 > > > hash of the whole cert as "fingerprint" is pretty much > > > universally used and > > > accepted, unless there's a very strong reason not to use it I > > > don't see why we > > > need to invent yet another new identifier. > > > > > > Peter. > > > > > > > >
- OCSPv2: 02: certHash is not unique Manger, James H
- RE: OCSPv2: 02: certHash is not unique Ambarish Malpani
- Re: OCSPv2: 02: certHash is not unique Terry Hayes
- RE: OCSPv2: 02: certHash is not unique Michael Myers
- RE: OCSPv2: 02: certHash is not unique Manger, James H
- Re: OCSPv2: 02: certHash is not unique Peter Gutmann
- Re: OCSPv2: 02: certHash is not unique Carlin Covey
- Re: OCSPv2: 02: certHash is not unique Peter Gutmann
- RE: OCSPv2: 02: certHash is not unique Carlin Covey
- RE: OCSPv2: 02: certHash is not unique Michael Myers
- RE: OCSPv2: 02: certHash is not unique Manger, James H
- RE: OCSPv2: 02: certHash is not unique Ambarish Malpani
- Re: OCSPv2: 02: certHash is not unique Denis Pinkas
- FW: OCSPv2: 02: certHash is not unique Carlin Covey
- RE: OCSPv2: 02: certHash is not unique Peter Gutmann
- RE: OCSPv2: 02: certHash is not unique Jonathan.Tuliani
- RE: OCSPv2: 02: certHash is not unique Ryan Hurst