Re: draft-igoe-secsh-x509v3-00

[Jan Pechanec <Jan.Pechanec%Sun.COM@localhost>]

On Tue, 15 Dec 2009, Nicolas Williams wrote:

>> 7) Certificate revocation list / OCSP responses.  You've suggested
>> including CRL or OCSP data alongside the certificate chain for
>> efficiency purposes.  I'm not a PKI expert either, so I'd like to hear
>> more feedback, especially from implementers, on whether this would be
>> of interest to them.  I know that SunSSH's support for X.509 has some
>> consideration of CRL/OCSP, so maybe Jan can comment on what he thinks
>> of including that data with the cert chain or handling it outside of
>> the protocol.
>
>First, SunSSH does not support x.509 yet.

	Douglas knows that I did some interop tests with VanDyke and 
Attachment and that it went OK. The code is still somewhere in my 
workspace and I haven't ever released a patch, that's true.

>Second, I *strongly* recommend that both, the client and server be able
>to send OCSP responses for their own certs to the other, and that
>servers be able to send OCSP responses for the client's certs back to
>the client.  This has a number of major benefits:

	I agree with that. I think this idea of sending OCSP responses 
was already in the original draft by Joseph and Oskari, if I remember 
correctly. BTW, kmf_validate_cert() accepts optional OCSP response data.

	J.

-- 
Jan Pechanec