On Wed, 28 Jul 2010 10:50:52 -0500 Nicolas Williams
<nicolas.willi...@oracle.com> wrote:
> On Wed, Jul 28, 2010 at 11:38:28AM -0400, Perry E. Metzger wrote:
> > On Wed, 28 Jul 2010 09:57:21 -0500 Nicolas Williams
> > <nicolas.willi...@oracle.com> wrote:
> > > OCSP Responses are much like a PKI equivalent of Kerberos
> > > tickets. All you need to do to revoke a principal with OCSP is
> > > to remove it from the Responder's database or mark it revoked.
> > 
> > Actually, that's untrue in one very important respect.
> > 
> > In a Kerberos style system, you actively ask for credentials to do
> > things at frequent intervals, and if the KDCs refuse to talk to
> > you, you get no credentials.
> > 
> > In OCSP, we've inverted that. You have the credentials, for years
> > in most cases, and someone else has to actively check that
> > they're okay -- and in most instances, if they fail to get
> > through to an OCSP server, they will simply accept the
> > credentials.
> No, they really are semantically equivalent.

Again, I understand that in a technological sense, in an ideal world,
they would be equivalent. However, the big difference, again, is that
you can't run Kerberos with no KDC, but you can run a PKI without an
OCSP server. The KDC is impossible to leave out of the system. That is
a really nice technological feature.

Peter Gutmann has pointed out other critical distinctions, but I'll
let his message stand for itself.

Perry E. Metzger                pe...@piermont.com

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to