Re: operational protocols
"Housley, Russ" <housley@spyrus.com> Mon, 07 April 1997 03:51 UTC
Received: by suntan.tandem.com (8.6.12/suntan5.970212) for ietf-pkix-relay id UAA15305; Sun, 6 Apr 1997 20:51:36 -0700
Received: from netcomsv.netcom.com by suntan.tandem.com (8.6.12/suntan5.970212) for <ietf-pkix@tandem.com> id UAA15299; Sun, 6 Apr 1997 20:51:35 -0700
Received: by netcomsv.netcom.com with UUCP (8.6.12/SMI-4.1) id UAA04307; Sun, 6 Apr 1997 20:45:25 -0700
Received: from cc:Mail by spysouth.spyrus.com id AA860380956 Sun, 06 Apr 97 19:42:36
Date: Sun, 06 Apr 1997 19:42:36 -0000
From: "Housley, Russ" <housley@spyrus.com>
Encoding: 2014 Text
Message-Id: <9703068603.AA860380956@spysouth.spyrus.com>
To: ietf-pkix@tandem.com, Stefan.Hoeben@esat.kuleuven.ac.be
Subject: Re: operational protocols
Stef: How is LDAP different than any other access to a certificate and CRL repository? I do not see what makes the CIL important in the LDAP environment more than any other environment (like FTP or full DAP). Also, does the use of distributed, replicated Directories help solve your concern? If not, ow about the use of more than one distriution mechanism, say FTP and LDAP. Russ ______________________________ Reply Separator _________________________________ Subject: operational protocols Author: Stef Hoeben <Stefan.Hoeben@esat.kuleuven.ac.be> Date: 4/3/97 6:21 AM Hello, Some questions about the ipki2opp-00 draft (by the way, nice work:) - In the abstract, it looks like only the OCSP protocol can be use for online checking. But this is also possible with the LDAP protocol, isn't it? Isn't the only difference that LDAP gives the whole certificate or CRL, while the OCSP only gives the status? - Do you put the OCSP protocol _in_ an HTML file? Do you have to define new tags? Are there examples avaiable somewhere? Do Netscape and Microsoft have to put this procotol in their browsers? (Sorry for the dumb questions.) - A small remark about the security of LDAP: it is true that the messages don't need to be signed because the CA allready signed the certs ans CRL. BUT a nasty LDAPd could just answer on a request: 'I don't have that certificate or CRL' while he actually does have it. Perhaps a way to solve this is a CIL or Certficate Issue List (it's in a paper by Silvio Micali, you can find a copy at http://www.esat.kuleuven.ac.be/~hoeben/micali.ps). In that list the CA just puts the serial numbers of the certs (eventually after removing some redundancy) and signs it. If there comes a request for a cert the CA didn't issue, the LDAPd just gives the CIL to prove he hasn't got the cert. I guess this CIL is allready possible in X.509 v3, with the aid of private extensions, isn't it? Greetings, Stef
- Re: operational protocols Housley, Russ
- Re: operational protocols Housley, Russ
- Re: operational protocols Patrick Richard
- Re: operational protocols Reginald Carey
- Re: operational protocols Stef Hoeben
- RE(2): operational protocols T.A.Parker
- Re: operational protocols Mike Smith
- Re: operational protocols Mike Smith
- Re: operational protocols Stef Hoeben
- Re: operational protocols David Boyce
- Re: operational protocols Stef Hoeben