[kmf-discuss] PKIX certificate path validation
Huie-Ying Lee
huie-ying.lee at sun.com
Tue Jan 8 17:50:30 PST 2008
Jan Pechanec wrote:
> On Tue, 8 Jan 2008, Huie-Ying Lee wrote:
>
> hi Huie-Ying,
>
>>> I think that we can't force the situation where we have an OCSP
>>> single response for each certificate. Every CA on the way can have a
>>> different policy so some might not use OCSP at all but CRL only.
>> Yes, there is no need to have an OCSP single response for each certificate,
>> as I commented in my last email right before the holiday break.
>
> ah, ok, I must have overlooked that.
>
>>> I also thing that it would be better to get certificates and
>>> responses in pairs in SSH protocols, where OCSP part would be optional. I
>>> approached IETF SSH list with that. Do you think that if you got an array of
>>> certificate/response pairs (response optional) that it would be better for
>>> you?
>> Yes, that will be much better because of no ambiguity.
>
> unfortunately, I still didn't get any feedback from the community or
> the authors of the SSH/x509 draft. I keep trying.
>
>> If a certificate in the array (chain) doesn't have the response part, what's the
>> behavior you expect from kmf_validate_cert() ? I assume that if the policy is
>> set to check the revocation status, then we should try to check CRL.
>
> I think that even when the response is there it's on the policy to
> decide. If an admin doesn't specify OCSP usage in the policy, those
> responses should be just ignored. Does that make sense?
>
Yes, the policy should has a higher priority.
> thanks, Jan.
>
Thanks,
Huie-Ying
More information about the kmf-discuss
mailing list