operational protocols
Stef Hoeben <Stefan.Hoeben@esat.kuleuven.ac.be> Thu, 03 April 1997 13:20 UTC
Received: by suntan.tandem.com (8.6.12/suntan5.970212) for ietf-pkix-relay id FAA20248; Thu, 3 Apr 1997 05:20:26 -0800
Received: from barbar.esat.kuleuven.ac.be by suntan.tandem.com (8.6.12/suntan5.970212) for <ietf-pkix@tandem.com> id FAA19971; Thu, 3 Apr 1997 05:18:02 -0800
Received: from dante (dante.esat.kuleuven.ac.be [134.58.66.131]) by barbar (version 8.8.5) for <ietf-pkix@tandem.com> with SMTP id PAA03783; Thu, 3 Apr 1997 15:17:39 +0200 (METDST)
Organization: ESAT, K.U.Leuven, Belgium
Date: Thu, 03 Apr 1997 15:18:30 +0200
From: Stef Hoeben <Stefan.Hoeben@esat.kuleuven.ac.be>
X-Sender: hoeben@dante
Reply-To: Stef Hoeben <Stefan.Hoeben@esat.kuleuven.ac.be>
To: ietf-pkix@tandem.com
Subject: operational protocols
In-Reply-To: <c=CA%a=_%p=NorTel_Secure_Ne%l=GRANNY-970401173301Z-35642@bwdldb.ott.bnr.ca>
Message-ID: <Pine.ULT.3.95.970403112753.8665E-100000@dante>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Hello, Some questions about the ipki2opp-00 draft (by the way, nice work:) - In the abstract, it looks like only the OCSP protocol can be use for online checking. But this is also possible with the LDAP protocol, isn't it? Isn't the only difference that LDAP gives the whole certificate or CRL, while the OCSP only gives the status? - Do you put the OCSP protocol _in_ an HTML file? Do you have to define new tags? Are there examples avaiable somewhere? Do Netscape and Microsoft have to put this procotol in their browsers? (Sorry for the dumb questions.) - A small remark about the security of LDAP: it is true that the messages don't need to be signed because the CA allready signed the certs ans CRL. BUT a nasty LDAPd could just answer on a request: 'I don't have that certificate or CRL' while he actually does have it. Perhaps a way to solve this is a CIL or Certficate Issue List (it's in a paper by Silvio Micali, you can find a copy at http://www.esat.kuleuven.ac.be/~hoeben/micali.ps). In that list the CA just puts the serial numbers of the certs (eventually after removing some redundancy) and signs it. If there comes a request for a cert the CA didn't issue, the LDAPd just gives the CIL to prove he hasn't got the cert. I guess this CIL is allready possible in X.509 v3, with the aid of private extensions, isn't it? Greetings, Stef
- operational protocols Stef Hoeben
- PKIX Part 3... Carlisle Adams