W3C home > Mailing lists > Public > www-xkms@w3.org > November 2004

OCSP action

From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Date: Tue, 23 Nov 2004 15:54:56 +0000
Message-ID: <41A35D50.1020008@cs.tcd.ie>
To: XKMS WG <www-xkms@w3.org>


Folks,

There's and open action [1] on me to check in various
places as to whether there ought to be a new ds:KeyInfo
option which could contain OCSP responses.

Instead of doing that, I'd like to propose that for the
purposes of XKMS, we remove the offending text, and thus
offer no explicit support for returning OCSP status
information in XKMS responses.

Two reasons:-

a) I don't believe anyone's really depending on this,
since the xkms response itself can effectively give
the same information, but more directly, and with
probably equivalent security (if the XKMS responder
is going to cheat on you, it can probably set things
up so you'll swallow a bogus OCSP response by first
feeding you a bogus caCert)

b) I believe that consulting with PKIX and others,
might take a long time to produce a result, and in any
case, the PKIX folks are mainly taken up with revising
rfc3280 these days, so the chances of the topic getting
serious consideration are perhaps slim.

So, I propose we resolve the issue by removing mention
of xkms responses containing OCSP responses. That means
removing the OCSP row of the table in #3.2.3 and the
related line of schema (an enumeration, so no impact
elsewhere).

We can discuss this on the call today if
useful/necessary.

Regards,
Stephen.

[1] http://lists.w3.org/Archives/Public/www-xkms/2004Sep/0014.html
Received on Tuesday, 23 November 2004 15:51:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:39:23 GMT