async OCSP over DTLS RE: gnutls 3.0.10

[Peter Williams]

has anyone considered doing asynch ocsp (over DTLS...).

 

Ie there are two class of connectionless channel, one of which (over which 
layer-7-unsigned OCSP itself passes) acts as an authorizer for tge completion 
of the other.

 

The IETF spec reallly doesnt capture the original art of what becmae OCSP. 
Originally, a nightly job pre-signed lots of daily status messages (almost 
acting as a 1 line CRL). This was then replicated, much like a DNS zone. SSL 
endpoints then used an access protocol to access the replicant of the zone, and 
would ping it for the certificate status bit of a given keyed cert. If there 
was trust (e.g. an DTLS channel) between certificate-using system and replicant 
(and the asusmption the replicant had authenticated each signed status message 
during repliction, or their replicator's source endpoint in a further act of 
trusting).

 

Another variant had replicants sending CRLs around to distribution points... 
the "last" of which creates a pool of individuall signed OCSP rsponse, ready to 
be quickly delivered over access protocols.

 

what folks were not supposed to do was ping a online status responder, doing 
real time layer-7 signing. That was always deemed a crypto no-no for RSA (but 
this is what folks do).

 

One can play with a large DTLS sesssion cache - where each sessionid is a 
surrogate for a cert's status.