Re: OCSP I-Ds going forward

Peter,

Your point of being able to handle broken DNs is a very good one.
The relative complexity of DNs compared to a simple hash, and the
historic ability of coders to get DNs wrong begs for one easy way
to match certificates.

Compact is a good reason too, and the hash provides a fixed length
search key, and complexity that does not vary with the number of
DN components, their order, or whether a given attribute is absent
or present or appears more than once.

A hash approach does not require writing, testing, documenting and
maintaining all of the programming logic needed to handle DN
complexity.

And a  hash doesn't care what type or version of certificate is used,
whether it's encoded in DER or XER, or whether it even has a DN.

Phil

Peter Gutmann wrote:

big snip

>
>- Universal and unambiguous (uniquely identifies a cert even if (just to keep
>  Steve Kent happy  it has a broken DN).
>
>- Compact enough to work in bandwidth-constrained or resource-limited
>  environments.
>
>- Easy to get right, to avoid the problems experienced with the v1 ID.
>
>The only ID which seems to meet these requirements is certHash.  As I said in
>my previous message, I don't care what else you stick in there, as long as I
>can ship code which I know will work with any other (v2-aware) implementation.
>
>Peter.
>
>  
>