[145480] in cryptography@c2.net mail archive
Re: A mighty fortress is our PKI, Part II
daemon@ATHENA.MIT.EDU (Paul Tiemann)
Wed Jul 28 18:48:13 2010
From: Paul Tiemann <paul.tiemann.usenet@gmail.com>
In-Reply-To: <E1Oe8ur-0008Vz-Pk@wintermute02.cs.auckland.ac.nz>
Date: Wed, 28 Jul 2010 14:17:08 -0600
Cc: lynn@garlic.com,
Nicolas.Williams@oracle.com,
ben@links.org,
cryptography@metzdowd.com,
perry@piermont.com
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
On Jul 28, 2010, at 9:51 AM, Peter Gutmann wrote:
> Nicolas Williams <Nicolas.Williams@oracle.com> writes:
>=20
>> Exactly. OCSP can work in that manner. CRLs cannot.
>=20
> OCSP only appears to work in that manner. Since OCSP was designed to =
be 100%=20
> bug-compatible with CRLs, it's really an OCQP (online CRL query =
protocol) and=20
> not an OCSP. =20
This isn't true for all OCSP services. For example, DigiCert's is not =
CRL based, so it really can say "Yes" and it really can say "Unknown" =
meaningfully.
> (For people not familiar with OCSP, it can't say "yes" because a CRL =
can't say=20
> "yes" either, all it can say is "not on the CRL", and it can't say =
"no" for=20
> the same reason, all it can say is "not on the CRL". The ability to =
say=20
> "vslid certificate" or "not valid certificate" was explicitly excluded =
from=20
> OCSP because that's not how things are supposed to be done).
True for off-the-shelf OCSP responders that base themselves on CRL.
Paul Tiemann
(DigiCert)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
