[kmf-discuss] PKIX certificate path validation (fwd)

[Nicolas Williams]

On Fri, Dec 21, 2007 at 02:55:35PM -0800, Huie-Ying Lee wrote:
>                    However, if they are in order, then the scanning process
> can be implemented faster.

The time to search the list will be in the noise when you add all the PK
ops :)

>                              I'm curious why the draft can not require the
> responses to be in order, just like the certificate array ?

Oversight, no doubt.  (I insisted on having OCSP support added to the
I-D, so this would probably be my oversight.)

>                                                               The party that
> actually acquires a response from the OCSP server in the first place should
> know what certificates are covered by each response. 

Yes.

> One question about section 4.1 - if responses are included along with the
> certificates, then each certificate in the chain should be covered by one 
> of the responses.  Correct ?

Yes, but think this could reasonably be optional.  That is, I think it'd
be reasonable for a client to get an OCSPResponse only for its EE certs
and let the server get the others.  This on the theory that the server
is likely to already have the others, assuming that a small set of
validation paths happen to be very common, which in an intranet would be
true.