On Wed, 28 Jul 2010 11:20:52 -0500 Nicolas Williams <nicolas.willi...@oracle.com> wrote: > On Wed, Jul 28, 2010 at 12:18:56PM -0400, Perry E. Metzger wrote: > > Again, I understand that in a technological sense, in an ideal > > world, they would be equivalent. However, the big difference, > > again, is that you can't run Kerberos with no KDC, but you can > > run a PKI without an OCSP server. The KDC is impossible to leave > > out of the system. That is a really nice technological feature. > > Whether PKI can run w/o OCSP is up to the relying parties. Today, > because OCSP is an afterthought, they have little choice.
My mother relies on many certificates. Can she make a decision on whether or not her browser uses OCSP for all its transactions? I mention this only because your language here is quite sticky. Saying it is "up to the relying parties" is incorrect. It is really up to a host of people who are nowhere near the relying parties. In most cases, the relying parties aren't even capable of understanding the issue. Perry -- Perry E. Metzger pe...@piermont.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com