operational protocols

Stef Hoeben <Stefan.Hoeben@esat.kuleuven.ac.be> Thu, 03 April 1997 13:20 UTC

Organization: ESAT, K.U.Leuven, Belgium
Date: Thu, 03 Apr 1997 15:18:30 +0200
From: Stef Hoeben <Stefan.Hoeben@esat.kuleuven.ac.be>
Reply-To: Stef Hoeben <Stefan.Hoeben@esat.kuleuven.ac.be>
To: ietf-pkix@tandem.com
Subject: operational protocols
In-Reply-To: <c=CA%a=_%p=NorTel_Secure_Ne%l=GRANNY-970401173301Z-35642@bwdldb.ott.bnr.ca>
Message-ID: <Pine.ULT.3.95.970403112753.8665E-100000@dante>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"

Hello,

Some questions about the ipki2opp-00 draft (by the way,
nice work:)

- In the abstract, it looks like only the OCSP protocol
can be use for online checking. But this is also possible
with the LDAP protocol, isn't it? Isn't the only difference
that LDAP gives the whole certificate or CRL, while the
OCSP only gives the status?

- Do you put the OCSP protocol _in_ an HTML file? Do you
have to define new tags?  Are there examples avaiable 
somewhere? Do Netscape and Microsoft have to put this 
procotol in their browsers? (Sorry for the dumb questions.)

- A small remark about the security of LDAP: it is true
that the messages don't need to be signed because the CA
allready signed the certs ans CRL. BUT a nasty LDAPd could
just answer on a request: 'I don't have that certificate
or CRL' while he actually does have it. 
Perhaps a way to solve this is a CIL or Certficate Issue List 
(it's in a paper by Silvio Micali, you can find a copy at
http://www.esat.kuleuven.ac.be/~hoeben/micali.ps). In that
list the CA just puts the serial numbers of the certs (eventually
after removing some redundancy) and signs it. If there comes a 
request for a cert the CA didn't issue, the LDAPd just gives
the CIL to prove he hasn't got the cert.
I guess this CIL is allready possible in X.509 v3, with the
aid of private extensions, isn't it?

			Greetings, Stef

operational protocols Stef Hoeben
PKIX Part 3... Carlisle Adams