[145482] in cryptography@c2.net mail archive
Re: A mighty fortress is our PKI, Part II
daemon@ATHENA.MIT.EDU (Paul Tiemann)
Wed Jul 28 18:56:18 2010
From: Paul Tiemann <paul.tiemann.usenet@gmail.com>
In-Reply-To: <20100728132521.03bb969b@jabberwock.cb.piermont.com>
Date: Wed, 28 Jul 2010 14:40:14 -0600
Cc: Nicolas Williams <Nicolas.Williams@oracle.com>,
cryptography@metzdowd.com
To: Perry E. Metzger <perry@piermont.com>
On Jul 28, 2010, at 11:25 AM, Perry E. Metzger wrote:
> On Wed, 28 Jul 2010 11:20:52 -0500 Nicolas Williams
> <Nicolas.Williams@oracle.com> wrote:
>> On Wed, Jul 28, 2010 at 12:18:56PM -0400, Perry E. Metzger wrote:
>>> Again, I understand that in a technological sense, in an ideal
>>> world, they would be equivalent. However, the big difference,
>>> again, is that you can't run Kerberos with no KDC, but you can
>>> run a PKI without an OCSP server. The KDC is impossible to leave
>>> out of the system. That is a really nice technological feature.
>>=20
>> Whether PKI can run w/o OCSP is up to the relying parties. Today,
>> because OCSP is an afterthought, they have little choice.
>=20
> My mother relies on many certificates. Can she make a decision on
> whether or not her browser uses OCSP for all its transactions?
That might depend. I tell Firefox to use OCSP if a responder is =
referenced in the certificate, and I check that little checkbox that =
says "When an OCSP connection fails, treat the certificate as invalid."
True, if you don't have that checkbox marked, then Firefox will take a =
failed OCSP check attempt (connection refused, socket timeout, etc) as a =
success. What it ought to do is try the CRL(s) listed in the =
certificate too, and if both don't work then it really ought to error.
Paul Tiemann
(DigiCert)=
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
