Thanks Anders! Do you have any contacts for people working at that project? We might want to reach out to them as possible implementors and maybe start a conversation with them about possible requirements ? And eventually let them know about the progresses we might accomplish in the area.
Cheers, Max P.S.: Since Stephen and Kathleen asked me to have the conversation on The Right Key mailing list ([email protected]), please could you send the replies only there? We should not use both therightkey and the pkix MLs :-) > On Nov 14, 2014, at 9:11 PM, Anders Rundgren <[email protected]> > wrote: > > Since you want to do something in revocation I would like to > describe an existing potentially global PKI-using system that > maybe could be improved. > > The EU e-passport system needs for crossborder-checking of biometrics > a pretty elaborate PKI scheme which among many things require > the parties to expose two public ports on the Internet; one for > the actual communication using HTTPS[1] and another for publishing > CRLs using HTTP. This isn't rocket-science but it still requires > multiple FW settings and proxies. If OCSP responses could be > stapled (TLS client cert auth is used), relying parties would only > have to open a single inbound port. Cross-border reliability would > probably also be improved since the client (sender) wouldn't be able > to submit any data unless its OCSP is running (the PKIs are unique > per country). > > TLS 1.3 and 2.0 are in the workings so the timing is right... > > > Anders > > 1] I might add that I believe HTTPS with client certificate auth > is a very poor choice for cross-border communication when each party > run their own PKI. Signed messages permit a multi-tier architecture > and quarantining of not yet trusted messages, greatly simplifying > operation. BSI are experts on crypto, but n00bs on IT :-) > > _______________________________________________ > pkix mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/pkix _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
