Ram A Moskovitz <[EMAIL PROTECTED]> writes: > Are you sure OCSP didn't come out of the IETF as an effort to > 'standardize' the VeriSign / Microsoft certificate status service > that was launched as an extension to ActiveX?
it may have ... but i know there were people starting to discuss some sort of real-time rube goldberg contraption that attempted to preserve the facade of an offline operation with throwing in minimum of online operation. i was getting hit with wouldn't it be a modern marvel to convert the payment infrastructure to certificates ... and then pointing out to them, that conversion to an offline certificate-based operation would actually represent regressing the payment infrastructure by at least 20 years. when we were doing this thing with this small client/server startup that wanted to do payments http://www.garlic.com/~lynn/aadsm5.htm#asrn2 http://www.garlic.com/~lynn/aadsm5.htm#asrn3 we had to do due dilligence on the major operations that were going to be issuing these things called SSL domain name certificates in support of the operation. we were constantly pointing out that most of them were actually doing "certificate manufactoring" (a term we coined at the time) and hadn't actually bothered to implement a real PKI that actually administered and managed the infrastructure. furthermore, the payment infrastrucutre had learned at least 25 years earlier that revokation lists scaled extremely poorly. the following is from the PKIX WG minutes apr 7-8 1997 Sharon Boeyen presented the work to date on Part 2 regarding the use of LDAP and FTP for retrieval of certificates and CRLs and the requirements for and specification of an Online Certificate Status Protocol (OCSP). DISCUSSION 1 - Should we consider splitting the document into two separate ones, since the OCSP is a new protocol definition which may require significant more review and discussion than the LDAP and FTP profiles? Resolution: Although we agree that OCSP may require additional review, the document will remain a single draft and we will re-address this issue, if the OCSP discussion is such that it will require a longer review period and impede progression of the remainder of the document. ..... I have the original email ... but it can also be found here http://www.imc.org/ietf-pkix/old-archive-97/msg00316.html some comment about the lead architect for ocsp was from valicert http://www.rsasecurity.com/press_release.asp?doc_id=334&id=1034 in addition to ocsp ... about the same time there were some other infrastructures looking at various gimicks to improve the revokation process. note in the following announcement ... they were almost quoting me word-for-word about how archaic the CRL process actually is. Date: Wed, 29 Oct 1997 21:05:12 -0800 SUBJECT: ON-LINE BANKING/ VALICERT TACKLES FLAW IN E-COMMERCE SECURITY American Banker via Individual Inc. : A group of Silicon Valley entrepreneurs has set out to correct a flaw in the digital certification process that many Internet experts have been counting on to make Internet commerce secure. The solution, called a certificate revocation tree, is the property of Valicert Inc., a Sunnyvale, Calif., company formed last year and officially opened for business this week. In a sign that Valicert may be on to something that could bring added security to Internet transactions, three vendors in the data encryption field have given endorsements, and Netscape Communications Corp. has made a provision for Valicert's technology to "plug in" to the SuiteSpot server software. The advent of Valicert indicates that digital certification-a cryptographic technique that is believed to be on the road to broad public acceptance through Internet security protocols such as the credit card industry's SET-needs further refinement. "Today there is no way to know if a certificate is valid at the time of a transaction-it is known only that the certificate was valid at the time of issuance," said Joseph "Yosi" Amram, president and chief executive officer of Valicert. He said that if not for the Valicert method of keeping revoked certificates from being approved-it will be available in the form of a tool kit for system developers, a server system, and a service from Valicert-electronic commerce could collapse under the weight of millions of digital certificates that cannot be adequately validated. SET, the Secure Electronic Transactions protocol adopted by MasterCard and Visa for on-line credit card transactions, illustrates the problem in the extreme. SET requires issuance of digital certificates to all parties to a transaction. They are the E-commerce equivalent of a driver's license to verify a cardholder's identity or a certification that an on-line merchant is what it claims to be. The complexity of processing transactions with those multiple certificates is widely seen as slowing the adoption of SET. But digital certificates have already been issued by the millions through Netscape and Microsoft Corp.'s Internet browsers. Verisign Inc. and GTE Corp. are prominent certificate vendors. GTE, Entegrity Solutions, and Entrust Technologies, the leader in public key infrastructure systems, have each agreed to some form of collaboration with Valicert. Valicert's efforts can "expand the security infrastructure available for commerce," said Tom Carty, vice president of marketing and business development at GTE. "Given our focus on providing all of the pieces of the infrastructure required to make Internet commerce possible, it makes great sense for us to partner with Valicert to fill in one of the most essential pieces of the infrastructure puzzle-the digital credential checkpoint." In a recent interview, Mr. Amram and Valicert chairman Chini Krishnan said the problem is akin to what the credit card industry faced before electronic authorization systems. "A merchant would get a book, which came once a week or once a month, full of bad credit card numbers, and credit cards presented at the point of sale would have to be looked up manually," said Mr. Amram, who joined Valicert in August after being involved in other high-tech start-ups and in the Silicon Valley venture capital scene. "It was a big hassle and it slowed down checkout." The digital certificate equivalent of the hot-card list is known as the certificate revocation list, or CRL. Mr. Krishnan, the Valicert founder, said CRLs are "unscalable," meaning they become cumbersome, if not impossible, to manage as they approach mass-market proportions. The lack of scalability "has posed a barrier to widespread deployment," Mr. Krishnan said. He claimed that the invention of the certificate revocation tree brings a "1,000-to-1 advantage" that solves the problem of revocation and validation in a tamper-proof and economical way. "Developers need a cost-effective, one-step solution for building applications that can check the validity of digital certificates," Mr. Amram said. "By providing a clearing house network into multiple certification authorities, and by delivering a robust technology combined with a liberal licensing policy, Valicert will enable the widespread development and use of applications that will make the Internet and corporate intranets safe to conduct business." "Certificates are the only way to deal with identity in any meaningful way," Mr. Amram said. "They will take off in a big way. But certificates without validation are like a car without brakes." Mr. Krishnan said the development of Valicert's technology had "a lot of rocket science elements," which is why it took the company 20 months to reach the launch stage. Enhancing its credentials, Paul Kocher, a leading cryptography researcher, is credited with inventing the underlying technology. Martin Hellman, a Stanford University professor and half of the Diffie-Hellman team that invented public key cryptography, is on Valicert's scientific advisory board. Commercializers of cryptographic security have been intrigued by Valicert's proposition. When he heard about it during American Banker's Online '97 conference in Phoenix, Scott Dueweke, a marketing manager in International Business Machines Corp.'s Internet division, said, "They should call us." Another expert, who asked not to be identified, said Valicert's biggest problem is that it is a few years ahead of its time. "The market has fallen down with respect to revocation management, relying on relatively short expiration dates" to minimize invalid certificates, said Victor Wheatman, a California-based analyst with Gartner Group, Stamford, Conn. "Valicert fills a void and hopes to develop technology before the leading players move forward with their own revocation capabilities." Valicert's server and tool kit are available now, and its service to certificate acceptors will enter field trials later this year, the company said. The tool kit can be downloaded from the valicert.com Web site free for noncommercial use and evaluation purposes. Application development licenses are a flat $995 with unlimited sublicense rights. The server can be deployed on corporate intranets for $9,995. -- Anne & Lynn Wheeler | http://www.garlic.com/~lynn/ _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
