[kmf-discuss] PKIX certificate path validation
Jan Pechanec
Jan.Pechanec at Sun.COM
Thu Jan 3 12:38:21 PST 2008
On Fri, 21 Dec 2007, Huie-Ying Lee wrote:
hi Huie-Ying,
>If the number of OCSP responses does not correspond to the number of
>certificates, then it is
>not easy to decide the mapping between the certificates and the
>responses. A response file
I think that we can't force the situation where we have an OCSP
single response for each certificate. Every CA on the way can have a
different policy so some might not use OCSP at all but CRL only.
>If there is only one response file for the entire chain, then it is OK,
>because in this situation,
>we can safely assume that this response file is for all the
>certificates in the chain.
I think that if the OCSP response list was "sorted" according to the
list of certificates then it's not a problem if some OCSP responses are
missing. It's not O(n^2) but O(n) then.
I also thing that it would be better to get certificates and
responses in pairs in SSH protocols, where OCSP part would be optional. I
approached IETF SSH list with that. Do you think that if you got an array of
certificate/response pairs (response optional) that it would be better for
you?
cheers, Jan.
--
Jan Pechanec
More information about the kmf-discuss
mailing list