Hi all,
(first of all I apologize for my english(?), now let's go on ... )
working about an OCSP server to be included in the OpenCA package
I found very strange the lack of some kind of CSL (Certificate
Suspension List). If there is something similar I'm not aware of,
please report it and ignore this mail ...
For CSL I mean a sort of CRL (same structures, formats), but carrying
a list of only suspended certificates: this is obviously useful for
ocsp implementations and considering the fact that in most env you'll
not be requested for certificate status changing very often, issuing
this kind of lists, I think, could be useful.
First of all the software can, with very few modification, support
this kind of lists because them are built exactly like CRLs (but
them carry informations only on suspension: this can occour for
example when a certificate is requested for revokation but the request
have not been processed by the CA (think about network disconnected
CAs)). These lists can be signed by, let's say, the OCSP server
(certificate assigned to the OCSP authority or another certificate
issued for this porpouse and placed on a network-connected station) and
issued whenever a new certificate is suspended or its state is
changed to revoke/valid . When this last option happens the certificate
simply do not appear on the suspension list.
The correct status of a certificate, then, can be given by the
couple CSL/CRL without having to support OCSP or other protocols and
moreover the CSL are the same as CRLs so you don't have to rewrite
most of the software ... think about Apache (that now correctly
checks CRLs) ...
Is there anything like this around ??? Do you think this could be
useful or not ??? In case you approve I can take in charge of writing
an initial rfc for publication if needed to ...
Please report ANY comments :-D
C'you,
Massimiliano Pala (madwolf@openca.org)