Anne & Lynn Wheeler wrote:
OCSP provides for a online
transaction which asks whether the stale, staic information is still
usuable, attempting to preserve the facade that digital certificates
serve some useful purpose when there is online, direct access
capability. The alternative is to eliminate the digital certificates all
together and rather than doing an OCSP transaction, do a direct, online
transaction.

The benefits of not always requiring direct online transactions has been
pointed out before in this thread, in terms of anonymity, availability and
reliability. What happens when you get a message and the direct, online
connection isn't there? You can' decrypt it even though it you need to?

Digital certs (X.509 and PGP) are useful when the key owner is not online.
There is a world when this not only happens but is also useful. BTW, this
is recognized in IBE as well.

A couple additional comments:

> the baseline analysis, threat/vulnerability models, etc ... start with
> the simplest and then build the incremental pieces .... frequently
> looking at justification for the additional complexity.
>
> when doing the original design and architecture you frequently start
> with the overall objective and do a comprehensive design (to try and
> avoid having things fall thru the cracks).

Agreed, and that's where a baseline analysis really fails to reveal a
design's pros and cons -- because it follows a different path. Seems
logical but denies the design's own logic (which did NOT use a baseline
approach to begin with, on purpose).

Therefore, when I look into X.509 / PKI issues, or secure email issues,
a baseline analysis is not so very useful.

> the trusted third party certification authority is selling digital
> certificates to key owners for the benefit of relying parties.

The RPs are not part of the contract. Without CAs, there's no "key
owner" in PKI. It's for the benefit (and reduction of liability)
of the key owners.

Cheers,
Ed Gerck

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to