[kmf-discuss] kmf_validate_cert changes
Nicolas Williams
Nicolas.Williams at sun.com
Fri Jan 18 09:22:21 PST 2008
On Wed, Jan 16, 2008 at 06:27:28PM -0800, Glenn T. Barry wrote:
> For pkinit, it looks like it does not support ocsp. At least not
> yet, the pkinit rfc does not seem to mention ocsp but there is another
> rfc (4557) that proposes support for ocsp for pkinit. Nico is
> co-author of 4557, I'll see what he thinks.
That's correct.
RFC4557 does not require that the list of OCSPResponses be in any order,
only that the first one must correspond to the signer's cert.
IIRC this issue did come up on the KRB-WG mailing list, but I forget the
details.
IMO:
a) protocols using OCSP should require a specific ordering, but b)
implementations of functions like kmf_validate_cert() should handle
unordered OCSPResponse lists, and c) it may be acceptable to ignore
unordered OCSPResponse lists and resort to getting fresh OCSPResponses
or checking CRLs.
I.e., this issue is about optimization. If a sender does not make it
easy to optimize, then to heck with it. But if it's easy enough for the
receiver to do the optimization, then just do it.
Nico
--
More information about the kmf-discuss
mailing list