On Jul 28, 2010, at 11:25 AM, Perry E. Metzger wrote: > On Wed, 28 Jul 2010 11:20:52 -0500 Nicolas Williams > <nicolas.willi...@oracle.com> wrote: >> On Wed, Jul 28, 2010 at 12:18:56PM -0400, Perry E. Metzger wrote: >>> Again, I understand that in a technological sense, in an ideal >>> world, they would be equivalent. However, the big difference, >>> again, is that you can't run Kerberos with no KDC, but you can >>> run a PKI without an OCSP server. The KDC is impossible to leave >>> out of the system. That is a really nice technological feature. >> >> Whether PKI can run w/o OCSP is up to the relying parties. Today, >> because OCSP is an afterthought, they have little choice. > > My mother relies on many certificates. Can she make a decision on > whether or not her browser uses OCSP for all its transactions?
That might depend. I tell Firefox to use OCSP if a responder is referenced in the certificate, and I check that little checkbox that says "When an OCSP connection fails, treat the certificate as invalid." True, if you don't have that checkbox marked, then Firefox will take a failed OCSP check attempt (connection refused, socket timeout, etc) as a success. What it ought to do is try the CRL(s) listed in the certificate too, and if both don't work then it really ought to error. Paul Tiemann (DigiCert) --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com