-----Original Message-----
From: Rob Stradling [mailto:rob.stradl...@comodo.com]
Sent: Thursday, November 28, 2013 3:00 AM
To: Tim Moses
Cc: wpkops@ietf.org; Rick Andrews; Ben Laurie
Subject: Re: [wpkops] OCSP Responder Vendors
On 27/11/13 15:43, Tim Moses wrote:
Hi Rob. I can't argue with that.
But, isn't our focus more on design choices than implementation
flaws? After all, IETF can help fix problems with protocol design and
configuration, but there is less they can do about bugs.
Generally, I would be supportive of gathering more (rather than less)
information. But, I am also acutely aware that we have to finish the
project on schedule, and we are reliant on the good will of busy
people.
Having said all that, I don't object to sending the survey to all the
CAs in the usual trust anchor lists.
Hi Tim. Google may soon conduct a survey of all the publicly-trusted
CAs to find out what CA software and OCSP software each CA is using, in
order to find out which CA/OCSP software will need to be updated to
support various features of Certificate Transparency (RFC6962).
I asked Ben Laurie about this yesterday, and he said he might kick off
a
survey as early as next week. (CC'ing Ben).
If Google do their survey first, then this will hopefully yield a full
list of OCSP software authors for WPKOPS to survey. :-)
But, I wouldn't necessarily give high priority to chasing responses
and analyzing them.
I'm also happy to defer to the group if this is generally viewed to
be of higher priority.
All the best. Tim.
On Nov 27, 2013, at 9:30 AM, "Rob Stradling"
<rob.stradl...@comodo.com> wrote:
On 27/11/13 13:27, Tim Moses wrote:
Hi Rob. I would say "yes" to this if we thought it might uncover
an issue that needed fixing. Otherwise, we might just be creating a
lot of extra work for little benefit.
What do you think? All the best. Tim.
I have no idea if this would uncover any issues that would need
fixing.
But if we're going to scrutinize the commercial software, why
wouldn't we also scrutinize the in-house software?
In-house software isn't any less likely to contain bugs just because
it isn't sold commercially!
On Nov 27, 2013, at 5:08 AM, "Rob Stradling"
<rob.stradl...@comodo.com> wrote:
On 26/11/13 23:46, Rick Andrews wrote:
Folks,
I'm thinking we should also send the survey to vendors of OCSP
Responder
software. I know of CoreStreet, and I've heard tell of others,
but I
don't know who they are.
Hi Rick. Some CAs have written their own OCSP Responder software
in-house. Since it's for their own use, they're not acting as
"vendors", but nonetheless I'd say that the behaviour of this software
is of just as much interest as the behaviour of, say, Corestreet's
software.
Perhaps we need to send the survey to every publicly-trusted CA!
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
wpkops mailing list
wpkops@ietf.org
https://www.ietf.org/mailman/listinfo/wpkops
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are
free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
