A mighty fortress is our PKI, Part II
Perry E. Metzger
perry at piermont.com
Wed Jul 28 13:25:21 EDT 2010
On Wed, 28 Jul 2010 11:20:52 -0500 Nicolas Williams
<Nicolas.Williams at oracle.com> wrote:
> On Wed, Jul 28, 2010 at 12:18:56PM -0400, Perry E. Metzger wrote:
> > Again, I understand that in a technological sense, in an ideal
> > world, they would be equivalent. However, the big difference,
> > again, is that you can't run Kerberos with no KDC, but you can
> > run a PKI without an OCSP server. The KDC is impossible to leave
> > out of the system. That is a really nice technological feature.
>
> Whether PKI can run w/o OCSP is up to the relying parties. Today,
> because OCSP is an afterthought, they have little choice.
My mother relies on many certificates. Can she make a decision on
whether or not her browser uses OCSP for all its transactions?
I mention this only because your language here is quite sticky.
Saying it is "up to the relying parties" is incorrect. It is really
up to a host of people who are nowhere near the relying parties. In
most cases, the relying parties aren't even capable of understanding
the issue.
Perry
--
Perry E. Metzger perry at piermont.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list