On Wed, Jul 28, 2010 at 11:20:51AM -0500, Nicolas Williams wrote:
> On Wed, Jul 28, 2010 at 12:18:56PM -0400, Perry E. Metzger wrote:
> > Again, I understand that in a technological sense, in an ideal world,
> > they would be equivalent. However, the big difference, again, is that
> > you can't run Kerberos with no KDC, but you can run a PKI without an
> > OCSP server. The KDC is impossible to leave out of the system. That is
> > a really nice technological feature.
> Whether PKI can run w/o OCSP is up to the relying parties.  Today,
> because OCSP is an afterthought, they have little choice.

Also, requiring OCSP will probably take less effort than switching from
PKI to Kerberos.  In other words: eveything sucks.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to