[EMAIL PROTECTED] (Peter Gutmann) writes:
>all you need to do is get all the CAs and PKI vendors to agree on how to do
>it, and then change all their applications and certs to conform. QED.
That may be a bit vague for people not familiar with OCSP, so let me expand a
bit on it: This isn't an implementation problem, it's a philosophical problem,
every vendor and CA has a different idea of how to set the various fields, and
the standard (by design) gives them the leeway to do that. Even OCSP's trust
model is totally schizophrenic[0], with no less than three mutually
incompatible trust models, one per vendor involved [1]. So this isn't a
problem that can be fixed.
Peter.
[0] I'm using the term here in it's commonly-used sense, not the clinical
sense.
[1] Actually it's 2+n, because the third option is "whatever the user wants".
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
