Ousourced Trust (was Re: Difference between TCPA-Hardware and a smart card and something else before
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sat Dec 27 08:07:29 EST 2003
Anne & Lynn Wheeler <lynn at garlic.com> writes:
>the IETF OCSP standards work seems to be all about a real-time protocol that
>a relying party can use to check with a (LDAP?) database about whether the
>information that might be in a specific certificate can still be relied on.
>It has some of the flavor of a distributed filesystem/database cache entry
>invalidation protocol All of the CRL and OCSP stuff isn't about using the
>certificate for authenticating to an x.500 directory .... but whether the
>stale, static copy of information in the certificate is still good.
That's my big gripe with OCSP, it's compromised in almost every way in order
to make it completely bug-compatible with CRLs. It's really mostly an online
CRL query protocol rather than any kind of status protocol (in other words a
responder can give you an, uhh, "live" response from a week-old CRL via OCSP).
A recent update to the protocol even removes the use of nonces, to make replay
attacks possible.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list