[145484] in cryptography@c2.net mail archive
Re: A mighty fortress is our PKI, Part II
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Wed Jul 28 18:57:32 2010
Date: Wed, 28 Jul 2010 18:12:54 -0400
From: "Perry E. Metzger" <perry@piermont.com>
To: Paul Tiemann <paul.tiemann.usenet@gmail.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <E4A60419-2373-4402-92C6-255B72242A9A@gmail.com>
On Wed, 28 Jul 2010 14:40:14 -0600 Paul Tiemann
<paul.tiemann.usenet@gmail.com> wrote:
>
> On Jul 28, 2010, at 11:25 AM, Perry E. Metzger wrote:
>
> > On Wed, 28 Jul 2010 11:20:52 -0500 Nicolas Williams
> > <Nicolas.Williams@oracle.com> wrote:
> >> On Wed, Jul 28, 2010 at 12:18:56PM -0400, Perry E. Metzger wrote:
> >>> Again, I understand that in a technological sense, in an ideal
> >>> world, they would be equivalent. However, the big difference,
> >>> again, is that you can't run Kerberos with no KDC, but you can
> >>> run a PKI without an OCSP server. The KDC is impossible to leave
> >>> out of the system. That is a really nice technological feature.
> >>
> >> Whether PKI can run w/o OCSP is up to the relying parties.
> >> Today, because OCSP is an afterthought, they have little choice.
> >
> > My mother relies on many certificates. Can she make a decision on
> > whether or not her browser uses OCSP for all its transactions?
>
> That might depend. I tell Firefox to use OCSP if a responder is
> referenced in the certificate, and I check that little checkbox
> that says "When an OCSP connection fails, treat the certificate as
> invalid."
I believe you've missed an important point.
First, my mother would never understand what that box means. Second,
my mother has no control over whether the CA provides OCSP.
Perry
--
Perry E. Metzger perry@piermont.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
