Re: operational protocols

["Housley, Russ" <housley@spyrus.com>]

Stef:

How is LDAP different than any other access to a certificate and CRL 
repository?  I do not see what makes the CIL important in the LDAP 
environment more than any other environment (like FTP or full DAP).

Also, does the use of distributed, replicated Directories help solve your 
concern?  If not, ow about the use of more than one distriution mechanism, 
say FTP and LDAP.

Russ

______________________________ Reply Separator _________________________________
Subject: operational protocols
Author:  Stef Hoeben <Stefan.Hoeben@esat.kuleuven.ac.be>
Date:    4/3/97 6:21 AM


Hello,

Some questions about the ipki2opp-00 draft (by the way, 
nice work:)

- In the abstract, it looks like only the OCSP protocol 
can be use for online checking. But this is also possible
with the LDAP protocol, isn't it? Isn't the only difference 
that LDAP gives the whole certificate or CRL, while the 
OCSP only gives the status?

- Do you put the OCSP protocol _in_ an HTML file? Do you 
have to define new tags?  Are there examples avaiable 
somewhere? Do Netscape and Microsoft have to put this 
procotol in their browsers? (Sorry for the dumb questions.)

- A small remark about the security of LDAP: it is true 
that the messages don't need to be signed because the CA 
allready signed the certs ans CRL. BUT a nasty LDAPd could 
just answer on a request: 'I don't have that certificate 
or CRL' while he actually does have it. 
Perhaps a way to solve this is a CIL or Certficate Issue List 
(it's in a paper by Silvio Micali, you can find a copy at 
http://www.esat.kuleuven.ac.be/~hoeben/micali.ps). In that
list the CA just puts the serial numbers of the certs (eventually 
after removing some redundancy) and signs it. If there comes a 
request for a cert the CA didn't issue, the LDAPd just gives
the CIL to prove he hasn't got the cert.
I guess this CIL is allready possible in X.509 v3, with the 
aid of private extensions, isn't it?

   Greetings, Stef