[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Periodic certificate validation check

To: "'Greg Carter'" <greg@carter-engineering.com>, Amey Gokhale <agokhale@postmaster.co.uk>, ipsec@lists.tislabs.com
Subject: RE: Periodic certificate validation check
From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
Date: Mon, 23 Sep 2002 10:24:13 -0700
Sender: owner-ipsec@lists.tislabs.com


> If you were using OCSP the same applies (use the next update field).

The next update field is only useful in that fashion if the OCSP service is
CRL driven.

In the case of the VeriSign OCSP service the OCSP service always reports the
current status of the certificate as defined by the authoritative
certificate status database.


If you want to have pre-emptive cancellation of sessions based on revocation
of certificates you really need to define a very different interface to the
PKI that provides active status notification.

For the sake of prior-art this is described in my X-TASS research note.
However I don't think that there is sufficient demand for a system that
involved that degree of complexity.

In practice the way to pre-empt applications is in the authorization layer.
The overhead of support for pre-emption is such that you do not want to
duplicate the effort for authentication and authorization infrastructures -
if in fact it is worth implementing at all.


However this is addressed, it is not an IPSEC problem...


		Phill

Prev by Date: Re: Periodic certificate validation check
Next by Date: RE: Diffie Hellman implementation
Prev by thread: Re: Periodic certificate validation check
Next by thread: Re: Periodic certificate validation check
Index(es):
- Date
- Thread