RE: Major comments on OCSP (and LDAP Sec

Sorry Anders - still cannot equate to OCSP. Simply because it means that
client software must have yet more code with another protocol to do a
job. - and if this job is not working - then the client software still
has to deal with cert path processing (via directories).. I think the
business dependency on standard COTS clients and the fact that these
suppliers are trying to minimise config management and protocol options,
etc.. means that OCSP is a special case,  in costs, client software
maintenance, server functions, database integration, scaling, etc. 
As for the telephone system one protocol/line gets me the world, the
same paradigm will hold true with DAP or LDAP accessed X.500
directories.

just a view 
regards alan
> -----Original Message-----
> From: Anders Rundgren [SMTP:anders.rundgren@xxxxxxxxx]
> Sent: Friday, 21 August 1998 16:24
> To:   'Alan Lloyd'
> Cc:   'Stefan Santesson'; 'ietf-pkix@xxxxxxx '; 'Mike Myers';
> 'Ambarish Malpani'
> Subject:      RE: Major comments on OCSP (and LDAP Sec
> 
> Alan,
> >I still cannot see from the OCSP spec how it deals with certficates
> that
> >I might receive from anywhere in the world - The EC directory system
> -
> >just like the way in which a directory system supports the global
> >telephone system - is needed for CAs and organisations to do real
> >distributed EC.
> A comparison with telephone systems is *very* appropriate.   You
> typically have a
> subscription to *one* operator and line.  This line could be OCSP.
> The OCSP-
> server part does the messy part of transmitting the certificate status
> request to the proper
> destination regardless of how its directory is arranged.  And it also
> does the billing in
> your own currency and local method.  Or do you think most OCSP
> services will be for free?
> 
> A real-word OCSP-system is likely to support a limited set of
> "certificate domains".
> 
> The *backend-part* may indeed be X500-directories but is there really
> a need to
> know that for *clients* that just want to check the status of a
> certificate? 
> 
>  I.e. OCSP is not only a YAP but could also (particularly with my
> issuer-certificate-cache
> addition http://www.jaybis.com/specifications/pkix/ocsp.html ) be the
> *only* protocol
> an ordinary client needs for accessing the "certificate store".  
> 
> For a lot of PKI's (like ID-cards) the certificates will not be public
> anyway and in these cases OCSP makes even more sense.  
> 
> Anders