[kmf-discuss] PKIX certificate path validation
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Fri Jan 4 04:42:00 PST 2008
Jan Pechanec wrote:
> On Fri, 21 Dec 2007, Huie-Ying Lee wrote:
>
> hi Huie-Ying,
>
>> If the number of OCSP responses does not correspond to the number of
>> certificates, then it is
>> not easy to decide the mapping between the certificates and the
>> responses. A response file
>
> I think that we can't force the situation where we have an OCSP
> single response for each certificate. Every CA on the way can have a
> different policy so some might not use OCSP at all but CRL only.
Most commonly, I would expect only a single CA, or at most maybe 2, to
be involved.
But, theoretically, I think you are correct, there *could* be many CAs
with different
policies.
>
>> If there is only one response file for the entire chain, then it is OK,
>> because in this situation,
>> we can safely assume that this response file is for all the
>> certificates in the chain.
>
> I think that if the OCSP response list was "sorted" according to the
> list of certificates then it's not a problem if some OCSP responses are
> missing. It's not O(n^2) but O(n) then.
>
> I also thing that it would be better to get certificates and
> responses in pairs in SSH protocols, where OCSP part would be optional. I
> approached IETF SSH list with that. Do you think that if you got an array of
> certificate/response pairs (response optional) that it would be better for
> you?
>
> cheers, Jan.
Yes, it would certainly make the processing faster if the response was
included with
each cert.
-Wyllys
More information about the kmf-discuss
mailing list