On Jul 28, 2010, at 11:25 AM, Perry E. Metzger wrote:

> On Wed, 28 Jul 2010 11:20:52 -0500 Nicolas Williams
> <nicolas.willi...@oracle.com> wrote:
>> On Wed, Jul 28, 2010 at 12:18:56PM -0400, Perry E. Metzger wrote:
>>> Again, I understand that in a technological sense, in an ideal
>>> world, they would be equivalent. However, the big difference,
>>> again, is that you can't run Kerberos with no KDC, but you can
>>> run a PKI without an OCSP server. The KDC is impossible to leave
>>> out of the system. That is a really nice technological feature.
>> Whether PKI can run w/o OCSP is up to the relying parties.  Today,
>> because OCSP is an afterthought, they have little choice.
> My mother relies on many certificates. Can she make a decision on
> whether or not her browser uses OCSP for all its transactions?

That might depend.  I tell Firefox to use OCSP if a responder is referenced in 
the certificate, and I check that little checkbox that says "When an OCSP 
connection fails, treat the certificate as invalid."

True, if you don't have that checkbox marked, then Firefox will take a failed 
OCSP check attempt (connection refused, socket timeout, etc) as a success.  
What it ought to do is try the CRL(s) listed in the certificate too, and if 
both don't work then it really ought to error.

Paul Tiemann
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to