[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OCSP and CSL

To: Massimiliano Pala <madwolf@xxxxxxxxxxxxxxxx>
Subject: Re: OCSP and CSL
From: Brian Ford <brford@xxxxxxxxx>
Date: Wed, 26 Jan 2000 13:15:12 -0500
Cc: ietf-pkix@xxxxxxx
In-reply-to: <>

Massimiliano,

I'm no expert but my read of the RFCs is a little different.

The CSL which you describe seems to me like a subset of a CRL.  If you made
a query at a CA for that info I'd guess that the current CRL at the CA
would be parsed to deliver your answer.  The response would be in the form
of a list.  So depending on the CRL lifetime, that info may (or may not) be
current.

Using OCSP on the other hand the request would be made to a CA regarding a
specific cert.  The CA would be queried directly for a response (so the
info would be current).  The response would be either good, revoked or unknown.

Comments?

Regards,

Brian

At 06:51 PM 01/24/00, Massimiliano Pala wrote:
>Hi all,
>
>(first of all I apologize for my english(?), now let's go on ... )
>
>working about an OCSP server to be included in the OpenCA package
>I found very strange the lack of some kind of CSL (Certificate
>Suspension List). If there is something similar I'm not aware of,
>please report it and ignore this mail ...
>
>For CSL I mean a sort of CRL (same structures, formats), but carrying
>a list of only suspended certificates: this is obviously useful for
>ocsp implementations and considering the fact that in most env you'll
>not be requested for certificate status changing very often, issuing
>this kind of lists, I think, could be useful.
>
>First of all the software can, with very few modification, support
>this kind of lists because them are built exactly like CRLs (but
>them carry informations only on suspension: this can occour for
>example when a certificate is requested for revokation but the request
>have not been processed by the CA (think about network disconnected
>CAs)). These lists can be signed by, let's say, the OCSP server
>(certificate assigned to the OCSP authority or another certificate
>issued for this porpouse and placed on a network-connected station) and
>issued whenever a new certificate is suspended or its state is
>changed to revoke/valid . When this last option happens the certificate
>simply do not appear on the suspension list.
>
>The correct status of a certificate, then, can be given by the
>couple CSL/CRL without having to support OCSP or other protocols and
>moreover the CSL are the same as CRLs so you don't have to rewrite
>most of the software ... think about Apache (that now correctly
>checks CRLs) ... 
>
>Is there anything like this around ??? Do you think this could be
>useful or not ??? In case you approve I can take in charge of writing
>an initial rfc for publication if needed to ...
>
>Please report ANY comments :-D
>
>C'you,
>
>	Massimiliano Pala (madwolf@openca.org)


Brian Ford  
Consulting Engineer, CCIE #2106  
Cisco Systems Inc.

Follow-Ups:
- Re: OCSP and CSL
  - From: Massimiliano Pala

References:
- OCSP and CSL
  - From: Massimiliano Pala

Prev by Date: Re: OCSP and CSL
Next by Date: Re: OCSP and CSL
Previous by thread: Re: OCSP and CSL
Next by thread: Re: OCSP and CSL
Index(es):
- Date
- Thread