[145474] in cryptography@c2.net mail archive
Re: A mighty fortress is our PKI, Part II
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Wed Jul 28 13:21:51 2010
Date: Wed, 28 Jul 2010 11:20:52 -0500
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: "Perry E. Metzger" <perry@piermont.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <20100728121856.45cd87b0@jabberwock.cb.piermont.com>
On Wed, Jul 28, 2010 at 12:18:56PM -0400, Perry E. Metzger wrote:
> Again, I understand that in a technological sense, in an ideal world,
> they would be equivalent. However, the big difference, again, is that
> you can't run Kerberos with no KDC, but you can run a PKI without an
> OCSP server. The KDC is impossible to leave out of the system. That is
> a really nice technological feature.
Whether PKI can run w/o OCSP is up to the relying parties. Today,
because OCSP is an afterthought, they have little choice.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
