"Vivek" <[EMAIL PROTECTED]> writes: > Would'nt a time of expiry be more relevant (to a client) as part of > the ocsp response (just wondering if there was a reason that this > was already considered and rejected?)
the issue is that PKI, certification authorities, digital signatures, etc. were invented to address the offline trust problem ... where a relying party had not access to information in first time communication about a stranger. OCSP sort of came on the scene in the mid-90s after I was pointing out that suggestions regarding converting the payment card network to "modern" PKI was actually a technology regression of 20 or more years. the credit card industry was doing offline processes with plastic credentials and monthly invalid account booklets mailed to all merchants every month, then weekly, then possibly looking at printing tens of millions of invalid account booklets and mailing them out every day. so instead, they transition to online transactions by adding magstripe to existing plastic credential. now rather than relying on stale, static credential information, they could do real live, online transaction (and poof goes the problem of mailing out tens of millions of account invalidation booklets every couple hrs). the observation is that OCSP goes to all the overhead and expense of having an online transaction ... but actually is returning very little useful information. If you started suggesting that OCSP should start returning actual, useful information, then somebody might conclude that you get rid of the certificates all together and just go to a real online transaction (instead of a psuedo offline infrastructure with most of the downside of being offline but having most of the overhead of also having online transaction). -- Anne & Lynn Wheeler | http://www.garlic.com/~lynn/ _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
