On Wed, 28 Jul 2010 14:40:14 -0600 Paul Tiemann <paul.tiemann.use...@gmail.com> wrote: > > On Jul 28, 2010, at 11:25 AM, Perry E. Metzger wrote: > > > On Wed, 28 Jul 2010 11:20:52 -0500 Nicolas Williams > > <nicolas.willi...@oracle.com> wrote: > >> On Wed, Jul 28, 2010 at 12:18:56PM -0400, Perry E. Metzger wrote: > >>> Again, I understand that in a technological sense, in an ideal > >>> world, they would be equivalent. However, the big difference, > >>> again, is that you can't run Kerberos with no KDC, but you can > >>> run a PKI without an OCSP server. The KDC is impossible to leave > >>> out of the system. That is a really nice technological feature. > >> > >> Whether PKI can run w/o OCSP is up to the relying parties. > >> Today, because OCSP is an afterthought, they have little choice. > > > > My mother relies on many certificates. Can she make a decision on > > whether or not her browser uses OCSP for all its transactions? > > That might depend. I tell Firefox to use OCSP if a responder is > referenced in the certificate, and I check that little checkbox > that says "When an OCSP connection fails, treat the certificate as > invalid."
I believe you've missed an important point. First, my mother would never understand what that box means. Second, my mother has no control over whether the CA provides OCSP. Perry -- Perry E. Metzger pe...@piermont.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com