Re: [TLS] the use cases for GSS-based TLS and the plea for integrating

To: ynir at checkpoint.com (Yoav Nir)
Subject: Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
From: Martin Rex <Martin.Rex at sap.com>
Date: Fri, 27 Jul 2007 20:02:55 +0200 (MEST)
Cc: tls at ietf.org
In-reply-to: <BAA1438E-7831-419C-9E6F-73F4D833F71F@checkpoint.com> from "Yoav Nir" at Jul 26, 7 06:14:39 pm
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Reply-to: martin.rex at sap.com

Yoav Nir wrote:
> 
> I disagree with that characterization of certificate-based  
> authentication.
> 
> You may not need to communicate with an identity provider, but you do  
> need to validate the certificate. This necessarily implies checking  
> for revocation. Now this could be done using CRL fetching, or OCSP or  
> SCVP, but it usually means external communications.

Nope, certificate validation does NOT imply certificate revocation
checking.  A CA may want to assert policies to do so, but that
is an entirely different can of worms.

A software architecture that performs certificate revoction checks
by synchronously communicating with third parties over the network
is likely to cause serious problem for the performance and
availability of a service.

I certainly don't mean to imply that certification checking is entirely
useless.  But my idea about a reasonable implementation of
certificate revocation checking precludes synchronous communication
with third parties, and therefore (accessing an) OCSP(-server).
But even then, I would NOT do this within the TLS handshake itself.

-Martin

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

References:
- Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
  - From: Yoav Nir

Prev by Date: Re: [TLS] the use cases for GSS-based TLS and the plea for
Next by Date: Re: [TLS] the use cases for GSS-based TLS and the plea for
Previous by thread: Re: [TLS] the use cases for GSS-based TLS and the plea for integrating
Next by thread: RE: [TLS] the use cases for GSS-based TLS and the plea for integrating
Index(es):
- Date
- Thread

Re: [TLS] the use cases for GSS-based TLS and the plea for integrating

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.