Hi all, (first of all I apologize for my english(?), now let's go on ... ) working about an OCSP server to be included in the OpenCA package I found very strange the lack of some kind of CSL (Certificate Suspension List). If there is something similar I'm not aware of, please report it and ignore this mail ... For CSL I mean a sort of CRL (same structures, formats), but carrying a list of only suspended certificates: this is obviously useful for ocsp implementations and considering the fact that in most env you'll not be requested for certificate status changing very often, issuing this kind of lists, I think, could be useful. First of all the software can, with very few modification, support this kind of lists because them are built exactly like CRLs (but them carry informations only on suspension: this can occour for example when a certificate is requested for revokation but the request have not been processed by the CA (think about network disconnected CAs)). These lists can be signed by, let's say, the OCSP server (certificate assigned to the OCSP authority or another certificate issued for this porpouse and placed on a network-connected station) and issued whenever a new certificate is suspended or its state is changed to revoke/valid . When this last option happens the certificate simply do not appear on the suspension list. The correct status of a certificate, then, can be given by the couple CSL/CRL without having to support OCSP or other protocols and moreover the CSL are the same as CRLs so you don't have to rewrite most of the software ... think about Apache (that now correctly checks CRLs) ... Is there anything like this around ??? Do you think this could be useful or not ??? In case you approve I can take in charge of writing an initial rfc for publication if needed to ... Please report ANY comments :-D C'you, Massimiliano Pala (madwolf@openca.org)
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature