- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Tue, 23 Nov 2004 15:54:56 +0000
- To: XKMS WG <www-xkms@w3.org>
Folks, There's and open action [1] on me to check in various places as to whether there ought to be a new ds:KeyInfo option which could contain OCSP responses. Instead of doing that, I'd like to propose that for the purposes of XKMS, we remove the offending text, and thus offer no explicit support for returning OCSP status information in XKMS responses. Two reasons:- a) I don't believe anyone's really depending on this, since the xkms response itself can effectively give the same information, but more directly, and with probably equivalent security (if the XKMS responder is going to cheat on you, it can probably set things up so you'll swallow a bogus OCSP response by first feeding you a bogus caCert) b) I believe that consulting with PKIX and others, might take a long time to produce a result, and in any case, the PKIX folks are mainly taken up with revising rfc3280 these days, so the chances of the topic getting serious consideration are perhaps slim. So, I propose we resolve the issue by removing mention of xkms responses containing OCSP responses. That means removing the OCSP row of the table in #3.2.3 and the related line of schema (an enumeration, so no impact elsewhere). We can discuss this on the call today if useful/necessary. Regards, Stephen. [1] http://lists.w3.org/Archives/Public/www-xkms/2004Sep/0014.html
Received on Tuesday, 23 November 2004 15:51:28 UTC