Nicolas Williams wrote: > On Fri, Dec 21, 2007 at 02:55:35PM -0800, Huie-Ying Lee wrote: >> However, if they are in order, then the scanning process >> can be implemented faster. > > The time to search the list will be in the noise when you add all the PK > ops :) > >> I'm curious why the draft can not require the >> responses to be in order, just like the certificate array ? > > Oversight, no doubt. (I insisted on having OCSP support added to the > I-D, so this would probably be my oversight.) > >> The party that >> actually acquires a response from the OCSP server in the first place should >> know what certificates are covered by each response. > > Yes. > >> One question about section 4.1 - if responses are included along with the >> certificates, then each certificate in the chain should be covered by one >> of the responses. Correct ? > > Yes, but think this could reasonably be optional. That is, I think it'd > be reasonable for a client to get an OCSPResponse only for its EE certs > and let the server get the others. This on the theory that the server > is likely to already have the others, assuming that a small set of > validation paths happen to be very common, which in an intranet would be > true.
This sounds fine to me. It would be nice to make some clarification about OCSP in the draft as Jan suggested. Huie-Ying
