RE: Major comments on OCSP (and LDAP Sec

Alan,
>I still cannot see from the OCSP spec how it deals with certficates that
>I might receive from anywhere in the world - The EC directory system -
>just like the way in which a directory system supports the global
>telephone system - is needed for CAs and organisations to do real
>distributed EC.
A comparison with telephone systems is *very* appropriate.   You typically have 
a
subscription to *one* operator and line.  This line could be OCSP.  The OCSP-
server part does the messy part of transmitting the certificate status request 
to the proper
destination regardless of how its directory is arranged.  And it also does the 
billing in
your own currency and local method.  Or do you think most OCSP services will be 
for free?

A real-word OCSP-system is likely to support a limited set of "certificate 
domains".

The *backend-part* may indeed be X500-directories but is there really a need to
know that for *clients* that just want to check the status of a certificate? 

 I.e. OCSP is not only a YAP but could also (particularly with my 
issuer-certificate-cache
addition http://www.jaybis.com/specifications/pkix/ocsp.html ) be the *only* 
protocol
an ordinary client needs for accessing the "certificate store".  

For a lot of PKI's (like ID-cards) the certificates will not be public
anyway and in these cases OCSP makes even more sense.  

Anders