[TLS] draft-pettersen-tls-ext-multiple-ocsp questions
"Jim Schaad" <ietf@augustcellars.com> Wed, 11 April 2012 17:02 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 410E321F8504 for <tls@ietfa.amsl.com>; Wed, 11 Apr 2012 10:02:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RexsIRG8ybaP for <tls@ietfa.amsl.com>; Wed, 11 Apr 2012 10:02:16 -0700 (PDT)
Received: from smtp3.pacifier.net (smtp3.pacifier.net [64.255.237.177]) by ietfa.amsl.com (Postfix) with ESMTP id 15AE921F8503 for <tls@ietf.org>; Wed, 11 Apr 2012 10:02:16 -0700 (PDT)
Received: from Tobias (unknown [50.34.251.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: schaad@nwlink.com) by smtp3.pacifier.net (Postfix) with ESMTPSA id 93C9B38F04; Wed, 11 Apr 2012 10:02:14 -0700 (PDT)
From: Jim Schaad <ietf@augustcellars.com>
To: draft-pettersen-tls-ext-multiple-ocsp@tools.ietf.org
Date: Wed, 11 Apr 2012 10:01:04 -0700
Message-ID: <01d901cd1804$b9257cf0$2b7076d0$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac0YAd6xQEGjxZdtSlyIW7pm+uB94A==
Content-Language: en-us
Cc: tls@ietf.org
Subject: [TLS] draft-pettersen-tls-ext-multiple-ocsp questions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Apr 2012 17:02:16 -0000
There are three models for doing OCSP, as near as I can tell this draft only addresses two of those models. 1. The RP uses a single OCSP server that will issue the OCSP responses for all of the certificates in a chain. 2. The CA directly issues OCSP responses for the certificates that it issues (thus they replace direct CRLs) 3. The CA issues a certificate to the OCSP responder (thus they replace indirect CRLs). The first two are covered as only the certificates in the CA chain and the OCSP responses are needed, however the last model would require that additional certificates and potentially CRLs be transported so that the indirect certificate can be validated as part of processing the OCSP responses. Jim
- [TLS] draft-pettersen-tls-ext-multiple-ocsp quest… Jim Schaad
- Re: [TLS] draft-pettersen-tls-ext-multiple-ocsp q… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] draft-pettersen-tls-ext-multiple-ocsp q… Martin Rex
- Re: [TLS] draft-pettersen-tls-ext-multiple-ocsp q… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] draft-pettersen-tls-ext-multiple-ocsp q… Jim Schaad