async OCSP over DTLS RE: gnutls 3.0.10

[Peter Williams]

has anyone considered doing asynch ocsp (over DTLS...).

 

Ie there are two class of connectionless channel, one of which (over which layer-7-unsigned OCSP itself passes) acts as an authorizer for tge completion of the other.

 

The IETF spec reallly doesnt capture the original art of what becmae OCSP. Originally, a nightly job pre-signed lots of daily status messages (almost acting as a 1 line CRL). This was then replicated, much like a DNS zone. SSL endpoints then used an access protocol to access the replicant of the zone, and would ping it for the certificate status bit of a given keyed cert. If there was trust (e.g. an DTLS channel) between certificate-using system and replicant (and the asusmption the replicant had authenticated each signed status message during repliction, or their replicator's source endpoint in a further act of trusting).

 

Another variant had replicants sending CRLs around to distribution points... the "last" of which creates a pool of individuall signed OCSP rsponse, ready to be quickly delivered over access protocols.

 

what folks were not supposed to do was ping a online status responder, doing real time layer-7 signing. That was always deemed a crypto no-no for RSA (but this is what folks do).

 

One can play with a large DTLS sesssion cache - where each sessionid is a surrogate for a cert's status.