Hi Peter, Do you have any suggestions as to how the setting of these OCSP time values should be done? I guess its not clear to me why you feel the CA's need to agree on this. Why wouldn't the client simply make its decision based on its local time (which I agree may be far from correct) and the values in the response? Clients make these decisions every day with certs, so why would OCSP responses be any different? Is it the "producedAt" time that confuses the issue?
Regarding the various trust models, I agree there are too many choices. The "delegated" trust model is the only one that really makes sense in for large consumer facing PKI's in my opinion. Alex > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Peter Gutmann > Sent: Tuesday, June 14, 2005 4:44 AM > To: [email protected] > Subject: Re: More Phishing scams, still no SSL being used... > > [EMAIL PROTECTED] (Peter Gutmann) writes: > > >all you need to do is get all the CAs and PKI vendors to > agree on how to do > >it, and then change all their applications and certs to > conform. QED. > > That may be a bit vague for people not familiar with OCSP, so > let me expand a > bit on it: This isn't an implementation problem, it's a > philosophical problem, > every vendor and CA has a different idea of how to set the > various fields, and > the standard (by design) gives them the leeway to do that. > Even OCSP's trust > model is totally schizophrenic[0], with no less than three mutually > incompatible trust models, one per vendor involved [1]. So > this isn't a > problem that can be fixed. > > Peter. > > [0] I'm using the term here in it's commonly-used sense, not > the clinical > sense. > [1] Actually it's 2+n, because the third option is "whatever > the user wants". > > _______________________________________________ > mozilla-crypto mailing list > [email protected] > http://mail.mozilla.org/listinfo/mozilla-crypto > > _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
