Re: [dss] Individual reports for verification response

[Trevor Perrin <trevp@trevp.net>]

At 08:56 AM 6/24/2003 +0200, Andreas Kuehne wrote:
>Content-Transfer-Encoding: 7bit
>
>Hi All,
>
>>>What about something like:
>>>"The server should be able to issue individual reports on each
>>>token it has verified (certificates, signatures, etc) when the verification
>>>fails."
>>
>>When it fails, do you want:
>>  - a report only on the thing that failed (this certificate was revoked)
>>  - also reports on the things that were good (this certificate was 
>> revoked, these were good, these weren't checked yet)
>
>would it cause any problems if we have an option to get a full report when 
>the verification evaluates to 'true', too ?
>
>I'm suffering frommthe low acceptance of digital signatures in 'real 
>life'. It would be more persuasive for a doubting user to have a notion of 
>all the work ( digesting, CRL Checks, OCSP calls ... ) that was done on 
>behalf of his verification request. If you implement a report for the 
>failure case, you don't have to implement another for the success case.

3.7.5 has the idea of actually returning the verification info that was 
used, or references to it (CRL Checks, OCSP responses), and we were going 
to add a switch in 3.6.2, I think, to request this info.  Would that take 
care of this as well?

Probably not.  It sounds like you want more a list of what the server did 
(first digested, then verified signature against key, then validated cert 
path, then checked CRLs for certs in path, etc.).  If we just want this to 
be human-readable, then we could let the server put whatever it wants in 
it.  If we wanted it to be machine-readable we'd have to standardize how 
each "event" is represented, and that might be a bit of work.  Though I 
guess if we're going to make a list of all the things that might fail, it's 
not hard to also list all the things that might succeed.

Trevor