Anne & Lynn Wheeler wrote:
OCSP provides for a online transaction which asks whether the stale, staic information is still usuable, attempting to preserve the facade that digital certificates serve some useful purpose when there is online, direct access capability. The alternative is to eliminate the digital certificates all together and rather than doing an OCSP transaction, do a direct, online transaction.
The benefits of not always requiring direct online transactions has been pointed out before in this thread, in terms of anonymity, availability and reliability. What happens when you get a message and the direct, online connection isn't there? You can' decrypt it even though it you need to? Digital certs (X.509 and PGP) are useful when the key owner is not online. There is a world when this not only happens but is also useful. BTW, this is recognized in IBE as well. A couple additional comments: > the baseline analysis, threat/vulnerability models, etc ... start with > the simplest and then build the incremental pieces .... frequently > looking at justification for the additional complexity. > > when doing the original design and architecture you frequently start > with the overall objective and do a comprehensive design (to try and > avoid having things fall thru the cracks). Agreed, and that's where a baseline analysis really fails to reveal a design's pros and cons -- because it follows a different path. Seems logical but denies the design's own logic (which did NOT use a baseline approach to begin with, on purpose). Therefore, when I look into X.509 / PKI issues, or secure email issues, a baseline analysis is not so very useful. > the trusted third party certification authority is selling digital > certificates to key owners for the benefit of relying parties. The RPs are not part of the contract. Without CAs, there's no "key owner" in PKI. It's for the benefit (and reduction of liability) of the key owners. Cheers, Ed Gerck --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]