[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [pkix] OCSP and Privacy Issues

From: "Carl Wallace" <CWallace at cygnacom.com>
To: <pkix at ietf.org>
Date: Tue, 17 Nov 2009 08:20:03 -0500
In-reply-to: <86112D3D-9E0C-4703-AFCC-A8873B74017B at mitre.org>
References: <01cf01ca6292$d31079a0$79316ce0$ at com><p06240802c724e437d065 at [10.11.1.91]> <4B018715.2060401 at Dartmouth.edu><4B0186F4.2050806 at drh-consultancy.demon.co.uk><4B018DFB.5020607 at Dartmouth.edu><op.u3h0yzwevqd7e2 at killashandra.oslo.osa> <86112D3D-9E0C-4703-AFCC-A8873B74017B at mitre.org>
List-id: PKIX Working Group <pkix.ietf.org>

> > Basic problem with a HTTPS OCSP responder: Validating the
responder's
> > own certificate. If the certificate specify the OCSP responder
itself
> > as a the validator for its own certificate there is a infinite loop
> problem.
> >
> > Solution: Certificates for OCSP responders must not specify OCSP
> URIs,
> > only CRLs.
> 
> Simpler:  OCSP responder SSL certs assert id-pkix-ocsp-nocheck.

Even more simple: use partitioned CRLs where OCSP is used

Follow-Ups:
- Re: [pkix] OCSP and Privacy Issues
  - From: Massimiliano Pala

References:
- [pkix] Comments on draft-ietf-pkix-ocspagility-03.txt
  - From: Jim Schaad
- Re: [pkix] Comments on draft-ietf-pkix-ocspagility-03.txt
  - From: Stephen Kent
- [pkix] OCSP and Privacy Issues
  - From: Massimiliano Pala
- Re: [pkix] OCSP and Privacy Issues
  - From: Dr Stephen Henson
- Re: [pkix] OCSP and Privacy Issues
  - From: Massimiliano Pala
- Re: [pkix] OCSP and Privacy Issues
  - From: Yngve Nysaeter Pettersen
- Re: [pkix] OCSP and Privacy Issues
  - From: Miller, Timothy J.

Prev by Date: Re: [pkix] OCSP and Privacy Issues
Next by Date: Re: [pkix] Comments on draft-ietf-pkix-ocspagility-03.txt
Previous by thread: Re: [pkix] OCSP and Privacy Issues
Next by thread: Re: [pkix] OCSP and Privacy Issues
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.