Re: [dss] Individual reports for verification response

[Trevor Perrin <trevp@trevp.net>]

At 08:58 AM 7/5/2003 -0400, jmessing wrote:

>The protocol should probably support various levels of granularity in 
>reports with the probable end result being that very few users may want 
>access to that level of detail as a practical matter unless and until a 
>signature is challenged, just like a bank keeps records of manual 
>signatures on file to reference in the event a manual signature on a check 
>or draft is challenged, but does not check each signature against the 
>signature card because of the impracticality of the process.

This complexity is why I'm a little leery of this feature, since we're 
going to have to enumerate and name all the meaningful events a service can 
notify the client about, and worry about things like what level of 
granularity is appropriate, and how to parameterize these events (does the 
service just say "I checked a revocation mechanism, or does it say "I 
checked a CRL", or does it say I checked *<this>* CRL", etc.), and how to 
let the client specify filters on which events it wants to receive.  We 
could end up designing a whole logging system, if we're not careful.

But maybe that's exaggerating.  Perhaps we could just let things like 
"which events to return" be part of the "verifying policy" in 3.6.2 - i.e., 
part of that mass of ways one server can differ from another that a client 
can't control individually but that's implicit in the "verifying policy" 
the server's operating under.

Trevor