"Anders Rundgren" <[EMAIL PROTECTED]> writes: > Probably because this is the only thing that is needed. If you > need additional information concerning a certified identity, you > will in most cases have to ask another party for that.
there are enormous examples of where real time and aggregated information is viewed as advantagious when making a decision ... especially where value is concerned. The simple issue with OCSP is that it needed to preserve the facade that stale, static information was useful all by itself. The original statement was that anybody making any decision with regard to things of value ... if all other things were equal ... and they had a choice between 1) stale, static, year old information (say about whether a financial account may or may not have existed) and 2) real-time response based on real-time and aggregated information whether they were being paid. ... would relying parties prefer to have stale, static year old information ... or would they prefer to have a real time answer whether or not they were being paid. The issue is that OCSP goes to all the trouble to have a real-time information responding yes/no to whether the stale, static information was still current ... but doesn't provide a yes/no response to whether the relying party was actually being paid. The contention is that going to all the trouble of having a real-time operation ... the yes/no response to being paid or not ... is of significantly more value to a relying party than whether or not some stale, static information was still valid. the analogy is that you have a strip mall ... that has a bunch of retail stores. there are appliance operation, a dry goods operation and an identification operation. you go into the appliance operation and buy a appliance and present a card ... that card initiates an online transaction, which checks you financial worth and recent transactions and a relying party returns to the merchant a guarantee that they will be (and possibly already have been) paid. you then go into the identity operation and present a card ... the digital certificate is retrieved by the operation ... it does an OCSP to check if the certificate is still valid and then they verify a digital signature operation. then you walk out of the store (random acts of gratuitous identification). the issue, of course, is that very few verification or identification things are done just for the sake of doing them .. they are almost always done within the context of performing some other operation. the assertion has always been that the verification of stale, static information is only useful to the relying party whent they have no recourse to more valuable, real-time information (and/or recent stale, staic paradigm has tried to move into the no-value market niche, where the no-value operation can't justify the cost of real-time operation) you very seldom have acts of gratuitous identification occuring ... they are occuring within some context. furthermore there are huge number of operations where the issue of identification is superfluous to the objective of the operation ... which may be primarily the exchange of value (as the object of the operation) and identification is truely redundant and superfluous (as can be demonstrated when anonomous cash can be used in lieu of financial institutional based exchange of value). -- Anne & Lynn Wheeler | http://www.garlic.com/~lynn/ _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
