Anne & Lynn Wheeler <[EMAIL PROTECTED]> writes: >the IETF OCSP standards work seems to be all about a real-time protocol that >a relying party can use to check with a (LDAP?) database about whether the >information that might be in a specific certificate can still be relied on. >It has some of the flavor of a distributed filesystem/database cache entry >invalidation protocol All of the CRL and OCSP stuff isn't about using the >certificate for authenticating to an x.500 directory .... but whether the >stale, static copy of information in the certificate is still good.
That's my big gripe with OCSP, it's compromised in almost every way in order to make it completely bug-compatible with CRLs. It's really mostly an online CRL query protocol rather than any kind of status protocol (in other words a responder can give you an, uhh, "live" response from a week-old CRL via OCSP). A recent update to the protocol even removes the use of nonces, to make replay attacks possible. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
