[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[caops-wg] OCSP document - proxies and delta CRLs

To: caops-wg@xxxxxxx
Subject: [caops-wg] OCSP document - proxies and delta CRLs
From: Olle Mulmo <mulmo@xxxxxxxxxx>
Date: Tue, 31 May 2005 13:35:21 +0200
Delivered-to: grdfm-caops-wg-outgoing@mailbouncer.mcs.anl.gov
Delivered-to: grdfm-caops-wg@mailbouncer.mcs.anl.gov
Sender: owner-caops-wg@xxxxxxx

* Page 7, section 5.5: the paragraph suggesting the use of Delta CRLs to obtain Proxy Certificate´s status has been deleted ("Another option refers to using OCSP in a Push Operation Mode as mentioned in section 6.3, where relying parties SHOULD obtain revocation information through its OCSP service provider as soon as it is updated by the corresponding CA through Delta-CRLs"). Only as a way to let the reader know about this possibility, don't you think that it is worth to keep?

For an EE to "register" a proxy certificate with an OCSP responder, we will require a protocol, and/or extensions to an existing protocol. Why cannot the "disabling" of a previously registered proxy cert use the same channel?

The two operations are about making changes to the responder's revocation database, so for me it makes sense to have them tightly coupled.

I don't rule out the use of Delta CRLs, but a Delta must be built relative to a full CRL, which must be referenced. What is the full CRL of an EE? In addition, support would have to be added in the responder validation routines to allow EE (or proxies thereof?) certs to sign CRLs. Overall, this smells too much of a hack to me.

/Olle

Prev by Date: [caops-wg] OCSP - proxy certs
Next by Date: Re: [caops-wg] OCSP - fault tolerance
Previous by thread: Re: [caops-wg] OCSP - proxy certs
Index(es):
- Date
- Thread