Re: operational protocols
Stef Hoeben <Stefan.Hoeben@esat.kuleuven.ac.be> Mon, 07 April 1997 08:21 UTC
Received: by suntan.tandem.com (8.6.12/suntan5.970212) for ietf-pkix-relay id BAA02484; Mon, 7 Apr 1997 01:21:43 -0700
Received: from barbar.esat.kuleuven.ac.be by suntan.tandem.com (8.6.12/suntan5.970212) for <ietf-pkix@tandem.com> id BAA02481; Mon, 7 Apr 1997 01:21:39 -0700
Received: from dante (dante.esat.kuleuven.ac.be [134.58.66.131]) by barbar (version 8.8.5) with SMTP id KAA21130; Mon, 7 Apr 1997 10:21:18 +0200 (METDST)
Organization: ESAT, K.U.Leuven, Belgium
Date: Mon, 07 Apr 1997 10:21:17 +0200
From: Stef Hoeben <Stefan.Hoeben@esat.kuleuven.ac.be>
X-Sender: hoeben@dante
Reply-To: Stef Hoeben <Stefan.Hoeben@esat.kuleuven.ac.be>
To: "Housley, Russ" <housley@spyrus.com>
cc: ietf-pkix@tandem.com, Stefan.Hoeben@esat.kuleuven.ac.be
Subject: Re: operational protocols
In-Reply-To: <9703068603.AA860380956@spysouth.spyrus.com>
Message-ID: <Pine.ULT.3.95.970407095804.241A-100000@dante>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Russ: > I do not see how the CIL can be usefully used as a certificate > extension. > Please provide a more detailed explaination. Normally, a CA gives its certs and CRL to a Directory, which is normally no _Trusted_ Third Party. Because the certs and CRL are signed by the CA, the Directory can't mess these up. But the Directory can answer on a request for a certificate: 'I don't have it, the CA never issued it' So if a Directory really doesn't have a certificate, it must prove it to the user. This can be done by the CIL: a list with the serial numbers (or other ID's) of all certificates the CA has given to the Directory, and this list must be signed by the CA. So if a user requests a cert which the Directory didn't have, the Directory _must_ give the CIL which the user can check so verify the requested cert isn't in the CIL. => The only problem looks: how to tell the users they will get a CIL instead of a 'I don't have that cert' if they ask for a non-existing cert. I don't think you can put it in a private extension of the certficate, because that's exactly what a nasty Directory won't give... > How is LDAP different than any other access to a certificate and CRL > repository? I do not see what makes the CIL important in the LDAP > environment more than any other environment (like FTP or full DAP). Oops, mistake: LDAP isn't different. It's the same for the other protocols. Sorry for the confusion. > Also, does the use of distributed, replicated Directories help solve your > concern? If not, how about the use of more than one distriution mechanism, > say FTP and LDAP. You mean some independent directories with the same info? Sure, that would help, but isn't that expensive and impractical in most cases? Also, please allow me to ask my questions again ... - In the abstract, it looks like only the OCSP protocol can be use for online checking. But this is also possible with the LDAP protocol, isn't it? Isn't the only difference that LDAP gives the whole certificate or CRL, while the OCSP only gives the status? - Do you put the OCSP protocol _in_ an HTML file? Do you have to define new tags? Are there examples avaiable somewhere? Do Netscape and Microsoft have to put this procotol in their browsers? (Sorry for the dumb questions.) Stef
- Re: operational protocols Housley, Russ
- Re: operational protocols Housley, Russ
- Re: operational protocols Patrick Richard
- Re: operational protocols Reginald Carey
- Re: operational protocols Stef Hoeben
- RE(2): operational protocols T.A.Parker
- Re: operational protocols Mike Smith
- Re: operational protocols Mike Smith
- Re: operational protocols Stef Hoeben
- Re: operational protocols David Boyce
- Re: operational protocols Stef Hoeben