On Wed, Jul 28, 2010 at 11:20:51AM -0500, Nicolas Williams wrote: > On Wed, Jul 28, 2010 at 12:18:56PM -0400, Perry E. Metzger wrote: > > Again, I understand that in a technological sense, in an ideal world, > > they would be equivalent. However, the big difference, again, is that > > you can't run Kerberos with no KDC, but you can run a PKI without an > > OCSP server. The KDC is impossible to leave out of the system. That is > > a really nice technological feature. > > Whether PKI can run w/o OCSP is up to the relying parties. Today, > because OCSP is an afterthought, they have little choice.
Also, requiring OCSP will probably take less effort than switching from PKI to Kerberos. In other words: eveything sucks. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com