OCSP action


There's and open action [1] on me to check in various
places as to whether there ought to be a new ds:KeyInfo
option which could contain OCSP responses.

Instead of doing that, I'd like to propose that for the
purposes of XKMS, we remove the offending text, and thus
offer no explicit support for returning OCSP status
information in XKMS responses.

Two reasons:-

a) I don't believe anyone's really depending on this,
since the xkms response itself can effectively give
the same information, but more directly, and with
probably equivalent security (if the XKMS responder
is going to cheat on you, it can probably set things
up so you'll swallow a bogus OCSP response by first
feeding you a bogus caCert)

b) I believe that consulting with PKIX and others,
might take a long time to produce a result, and in any
case, the PKIX folks are mainly taken up with revising
rfc3280 these days, so the chances of the topic getting
serious consideration are perhaps slim.

So, I propose we resolve the issue by removing mention
of xkms responses containing OCSP responses. That means
removing the OCSP row of the table in #3.2.3 and the
related line of schema (an enumeration, so no impact

We can discuss this on the call today if


[1] http://lists.w3.org/Archives/Public/www-xkms/2004Sep/0014.html

Received on Tuesday, 23 November 2004 15:51:28 UTC