[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Ipsec] RE: OCSP in IKEv2

To: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Subject: Re: [Ipsec] RE: OCSP in IKEv2
From: Nicolas Williams <Nicolas.Williams@sun.com>
Date: Thu, 12 Aug 2004 02:25:01 -0500
Cc: ipsec@ietf.org, Michael Myers <mmyers@fastq.com>
In-reply-to: <p06110404bd3f280fd95e@[10.20.30.249]>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>,<mailto:ipsec-request@ietf.org?subject=unsubscribe>
Mail-followup-to: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>,Michael Myers <mmyers@fastq.com>, ipsec@ietf.org
References: <EOEGJNFMMIBDKGFONJJDMEENDOAA.mmyers@fastq.com><p06110404bd3f280fd95e@[10.20.30.249]>
Sender: ipsec-bounces@ietf.org
User-agent: Mutt/1.4.1i

On Tue, Aug 10, 2004 at 06:41:45PM -0700, Paul Hoffman / VPNC wrote:
> At 4:31 PM -0700 8/9/04, Michael Myers wrote:
> >BTW, the ADs have agreed this I-D will be placed onto the Standards
> >Track, subject to resolution of comments.
> 
> Such a statement seems wildly premature for a -00 document.
> 
> To date, there has been nearly zero interest from anyone in the IPsec 
> vendor community for in-band OCSP. Further, I am unaware of any deman 
> from the VPN user community for this. Having a standards-track 
> document will lead some to think that vendors are supposed to support 
> this. Given that there is no actual need for handling OCSP in IPsec, 
> the document should not move on to standards track; Experimental 
> status is fine.

Let me confirm that there is interest in this general use of OCSP: that
each peer that can sends OCSP response(s) for *its* certificate.

Michael's I-D helped clear up some confusion about "OCSP tunnelling" in
the KRB WG; "OCSP tunnelling" is not a good way to describe this as
there's no exchange of OCSP _requests_ and responses, just responses.

Think of this as a way of sending a CRL in-band but not in the cert,
with the benefit that the overall size of an OCSP response for one cert
is, practically speaking, constant, as opposed to the practically
unbounded size of CRLs.

Nico
-- 

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

References:
- [Ipsec] RE: OCSP in IKEv2
  - From: "Michael Myers" <mmyers@fastq.com>
- [Ipsec] RE: OCSP in IKEv2
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

Prev by Date: [Ipsec] Re: [Pki4ipsec] OCSP in IKEv2
Next by Date: Re: [Ipsec] RE: OCSP in IKEv2
Previous by thread: Re: [Ipsec] RE: OCSP in IKEv2
Next by thread: [Ipsec] Re: [Pki4ipsec] OCSP in IKEv2
Index(es):
- Date
- Thread