[cabfpub] Fwd: [pkix] Straw-poll on OCSP responses for non-revoked certificates.

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Tue Oct 30 21:47:28 UTC 2012


On 10/30/2012 01:22 PM, From Yngve Nysaeter Pettersen:
> 1. Allow "revoked" response for a certificate that has not been "revoked"
> but where that OCSP responder for any other reason knows the certificate
> to be "bad".
>
> 2. Require that the OCSP responder MUST respond "good" in this situation.
>
> 3. Neither 1 or 2 (motivate).

Neither - an OCSP responder should respond with "Unknown" or 
"Unauthorized" in case the certificate is unknown. Or either "Good" or 
"Revoked" for known ones.

Rational - responding "Revoked" for a certificate that might be good, is 
incorrect, either due to migration and update time or other reasons 
(out-of-sync cor whatever). Clients may cache revoked responses forever, 
revoked certificates are never unrevoked.



Regards
Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121030/b1099aff/attachment-0004.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121030/b1099aff/attachment-0002.p7s>


More information about the Public mailing list