RE: Major comments on OCSP (and LDAP Sec

Anders, thanks for that, 
I think that the "global" directory systems wont happen bit is a view.
But one must look at white pages for the telephone system - that
happened out of need. Once we join voice and data services together we
need a directory for that,  and once corporations start dealing with
optimising their information infrastructures on distributed name based -
object oriented - transaction systems - they will use directories. The
ONLY standard on the planet for this is X.500. 
As a person who is involved with many large (and I mean large) scale
directory systems across the planet, I have a different perspective on
life than those working in other areas.

The desire and the requirement to have a global directoy infrastucture
for global EC is overwhelming from many vertical markets and
organisations - as said, we have a high integrity, high performance, 3rd
generation DSA with information integration tools, LDAP interfaces for
servers and clients and its has been tested and accepted by such large
corporates in many countries.
We are getting busier and busier by the day - and those scaling issues
as defined for OCSP (and LDAP servers) are just the sorts of issues that
these clients are quite happy to avoid.

We live in a world where IT system scale is totally related to a
business capability and market share and revenue strategies. 
I do not and will not ever understand why this is never considered by
those dealing with generic infrastructure standards. The LDAP
development process is now adding mechanisms that do not scale and it
still has no architectural model to base distributed authentication and
access control on. It has a high operational cost and is unworkable in
large distributed organisations.
LDAP  should be deemed as a protocol that is getting more and more
proprietary extensions thus minimising the core generic features and
risking interoperability. OCSP IMHO is the same approach - a local
solution to a local problem.


regards alan
 
> -----Original Message-----
> From: Anders Rundgren [SMTP:anders.rundgren@xxxxxxxxx]
> Sent: Friday, 14 August 1998 18:21
> To:   'Alan Lloyd'
> Cc:   'Stefan Santesson'; 'ietf-pkix@xxxxxxx '; 'Mike Myers';
> 'Ambarish Malpani'
> Subject:      RE: Major comments on OCSP (and LDAP Sec
> 
> Hi Alan,
> I basically agree to what you are saying on a technical basis.  Due to
> lack
> of conformance and goals of different organizations I don't believe
> that
> global X500 directories will ever happen except (maybe) for a few very
> specific 
> 100% standardized certificates of commercial interest.
> 
> My solution to this situation is an upgraded OCSP++ system:
> 
> http://www.jaybis.com/specifications/pkix/ocsp.html
> 
> This is IMO what could easily have been squeezed into V1.0.  Now I
> suspect OCSP 1.0 will
> be short-lived, not particularly interoperable (lots of things are
> variable and suspect to interpretation), and offer too little.
> 
> Anders Rundgren
> Senior Internet E-commerce Architect