On 27/11/13 15:43, Tim Moses wrote:
Hi Rob. I can't argue with that.
But, isn't our focus more on design choices than implementation flaws? After
all, IETF can help fix problems with protocol design and configuration, but
there is less they can do about bugs.
Generally, I would be supportive of gathering more (rather than less)
information. But, I am also acutely aware that we have to finish the project
on schedule, and we are reliant on the good will of busy people.
Having said all that, I don't object to sending the survey to all the CAs in
the usual trust anchor lists.
Hi Tim. Google may soon conduct a survey of all the publicly-trusted
CAs to find out what CA software and OCSP software each CA is using, in
order to find out which CA/OCSP software will need to be updated to
support various features of Certificate Transparency (RFC6962).
I asked Ben Laurie about this yesterday, and he said he might kick off a
survey as early as next week. (CC'ing Ben).
If Google do their survey first, then this will hopefully yield a full
list of OCSP software authors for WPKOPS to survey. :-)
But, I wouldn't necessarily give high priority to chasing responses and
analyzing them.
I'm also happy to defer to the group if this is generally viewed to be of
higher priority.
All the best. Tim.
On Nov 27, 2013, at 9:30 AM, "Rob Stradling" <[email protected]> wrote:
On 27/11/13 13:27, Tim Moses wrote:
Hi Rob. I would say "yes" to this if we thought it might uncover an issue that
needed fixing. Otherwise, we might just be creating a lot of extra work for little
benefit.
What do you think? All the best. Tim.
I have no idea if this would uncover any issues that would need fixing.
But if we're going to scrutinize the commercial software, why wouldn't we also
scrutinize the in-house software?
In-house software isn't any less likely to contain bugs just because it isn't
sold commercially!
On Nov 27, 2013, at 5:08 AM, "Rob Stradling" <[email protected]> wrote:
On 26/11/13 23:46, Rick Andrews wrote:
Folks,
I’m thinking we should also send the survey to vendors of OCSP Responder
software. I know of CoreStreet, and I’ve heard tell of others, but I
don’t know who they are.
Hi Rick. Some CAs have written their own OCSP Responder software in-house. Since it's
for their own use, they're not acting as "vendors", but nonetheless I'd say
that the behaviour of this software is of just as much interest as the behaviour of, say,
Corestreet's software.
Perhaps we need to send the survey to every publicly-trusted CA!
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
wpkops mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/wpkops
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
_______________________________________________
wpkops mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/wpkops
