Re: OCSP and CSL

[tgindin@xxxxxxxxxx]

Massimiliano Pala <madwolf@comune.modena.it>@toutatis.comune.modena.it on
01/24/2000 12:51:03 PM

Sent by:  madwolf@toutatis.comune.modena.it


To:   ietf-pkix@imc.org
cc:
Subject:  OCSP and CSL



Hi all,

(first of all I apologize for my english(?), now let's go on ... )

working about an OCSP server to be included in the OpenCA package
I found very strange the lack of some kind of CSL (Certificate
Suspension List). If there is something similar I'm not aware of,
please report it and ignore this mail ...

For CSL I mean a sort of CRL (same structures, formats), but carrying
a list of only suspended certificates: this is obviously useful for
ocsp implementations and considering the fact that in most env you'll
not be requested for certificate status changing very often, issuing
this kind of lists, I think, could be useful.

[Tom Gindin] I believe that a CSL, in this sense, is probably just a CRL
whose issuingDistributionPoint extension contains an onlySomeReasons field
specifying the certificateHold bit and no other bit.  This doesn't require
any change to the standards.  However, it does bring up another point.  Why
is certificateHold included in ReasonFlags but not removeFromCRL?  If a
delta CRL is issued for a CRL partitioned by reason code, it seems to me
from the definition of issuingDistributionPoint that removeFromCRL could
only be included in a delta CRL with the onlySomeReasons field missing,
which goes against the point of having CRL's partitioned on a reason code
basis at all.  If it is assumed that entries with reason removeFromCRL are
permitted in any delta CRL whenever ReasonFlags contains certificateHold,
we should probably amend the IDP extension description to make this clear.

(snip)