On Wed, 28 Jul 2010 10:50:52 -0500 Nicolas Williams <nicolas.willi...@oracle.com> wrote: > On Wed, Jul 28, 2010 at 11:38:28AM -0400, Perry E. Metzger wrote: > > On Wed, 28 Jul 2010 09:57:21 -0500 Nicolas Williams > > <nicolas.willi...@oracle.com> wrote: > > > OCSP Responses are much like a PKI equivalent of Kerberos > > > tickets. All you need to do to revoke a principal with OCSP is > > > to remove it from the Responder's database or mark it revoked. > > > > Actually, that's untrue in one very important respect. > > > > In a Kerberos style system, you actively ask for credentials to do > > things at frequent intervals, and if the KDCs refuse to talk to > > you, you get no credentials. > > > > In OCSP, we've inverted that. You have the credentials, for years > > in most cases, and someone else has to actively check that > > they're okay -- and in most instances, if they fail to get > > through to an OCSP server, they will simply accept the > > credentials. > > No, they really are semantically equivalent.
Again, I understand that in a technological sense, in an ideal world, they would be equivalent. However, the big difference, again, is that you can't run Kerberos with no KDC, but you can run a PKI without an OCSP server. The KDC is impossible to leave out of the system. That is a really nice technological feature. Peter Gutmann has pointed out other critical distinctions, but I'll let his message stand for itself. Perry -- Perry E. Metzger pe...@piermont.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com