RE: OCSP and CSL

[Michael Myers <MMyers@xxxxxxxxxxxx>]

Steve, Russ, Massimiliano:

I agree that CRL-based suspension warrants deprecation.  However, we should
not rush to deprecate the notion of certificate suspension in general.

In actual practice, OCSP is being used to achieve certificate suspension
through the use of a state variable in a CA's certificate management
database.  The practice is directly analogous to velocity management of
credit cards, calling cards and the like.

The state variable of a certificate suspected of being unreliable is set to
an equivalent of "revoked", leading to a "revoked" OCSP response.  If it is
ultimately determined that the certificate is reliable (e.g. it is in fact
the subscriber making all those online purchases), the state variable is
reset back to an equivalent of "good".  This achieves the effect of
suspension with no additional complexity.

This further illustrates the fact that OCSP deployments should not depend
upon CRLs.

Mike




> -----Original Message-----
> From: Stephen Kent [mailto:kent@bbn.com]
> Sent: Wednesday, January 26, 2000 10:36 AM
> To: Massimiliano Pala

. . . .

> >I was also thinking about the OCSP service: if I can remember well 
> >the possible states
> >for a given certificate can be Good/Revoked or Unknown only, right 
> >??? What about,
> >if there is not yet, adding a 'Suspended' state ???
> 
> I don't recall what OCSP says re suspended certs as a form of 
> revoked cert.
> 
> Finally, I have to agree with Russ. I am not fond of suspension as a 
> revocation declaration and since 2459 disparages use of this 
> facility, I don't think we should spend lots of time on this issue.
> 
> Steve
>