[kmf-discuss] PKIX certificate path validation
Jan Pechanec
Jan.Pechanec at Sun.COM
Tue Jan 8 17:25:57 PST 2008
On Tue, 8 Jan 2008, Huie-Ying Lee wrote:
hi Huie-Ying,
>> I think that we can't force the situation where we have an OCSP
>> single response for each certificate. Every CA on the way can have a
>> different policy so some might not use OCSP at all but CRL only.
>
>Yes, there is no need to have an OCSP single response for each certificate,
>as I commented in my last email right before the holiday break.
ah, ok, I must have overlooked that.
>> I also thing that it would be better to get certificates and
>> responses in pairs in SSH protocols, where OCSP part would be optional. I
>> approached IETF SSH list with that. Do you think that if you got an array of
>> certificate/response pairs (response optional) that it would be better for
>> you?
>
>Yes, that will be much better because of no ambiguity.
unfortunately, I still didn't get any feedback from the community or
the authors of the SSH/x509 draft. I keep trying.
>If a certificate in the array (chain) doesn't have the response part, what's the
>behavior you expect from kmf_validate_cert() ? I assume that if the policy is
>set to check the revocation status, then we should try to check CRL.
I think that even when the response is there it's on the policy to
decide. If an admin doesn't specify OCSP usage in the policy, those
responses should be just ignored. Does that make sense?
thanks, Jan.
--
Jan Pechanec
More information about the kmf-discuss
mailing list