Re: OCSP and CSL

[Stephen Kent <kent@xxxxxxx>]

Massimiliano,

> Yes, I think this is what we definetly need. What I was wondering is 
> if available
> software can disitinguish CSLs from CRLs ... As far as I know, 
> actually Netscape
> does not support CRLs with extentions. Am I wrong ???
I think the most recent release of Navigatior does know how to 
process CRLs, but probably not fancy CRLs with extensions.

> Do you know of some software supporting extentions in CRLs (widely 
> available) ???
Check on the Jonah software from IBM, or the NIST or Van Dyke toolkits.

> To issue a CRL, you'd need the CA certificate/key, but in 
> environment where you
> have (for security reasons) a network-less CA how to accomplish this 
> ??? Can you
> sign CRLs with a certificate that is not the CA Cert ???
You can sign a CRL with an offline CA key, and transfer the signed 
CRL to a directory or other repository.  Also, you can have the CA 
have two certs, with two different keys, one for signing certs and 
one for signing CRLs.

> I was also thinking about the OCSP service: if I can remember well 
> the possible states
> for a given certificate can be Good/Revoked or Unknown only, right 
> ??? What about,
> if there is not yet, adding a 'Suspended' state ???
I don't recall what OCSP says re suspended certs as a form of revoked cert.

Finally, I have to agree with Russ. I am not fond of suspension as a 
revocation declaration and since 2459 disparages use of this 
facility, I don't think we should spend lots of time on this issue.

Steve