[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: German Law and OCSP

To: Ambarish Malpani <ambarish@xxxxxxxxxxxx>
Subject: Re: German Law and OCSP
From: Andreas Berger <aberger@xxxxxxxxxxxxxxxx>
Date: Mon, 31 Jan 2000 14:18:48 +0100
Cc: "'ietf-pkix@xxxxxxx'" <ietf-pkix@xxxxxxx>
Organization: GMD SIT.SICA Darmstadt
References: <>
Sender: aberger@xxxxxxxxxxxxxxxx

Ambarish Malpani wrote:
> 
> Hi Guys,
>     I recently read a document that seemed to indicate that
> the German Digital Signature Law or some related documents
> specified that you can use OCSP to check the revocation status
> of a cert, but they allowed you to send over all 0's as the
> hash of the CA's public key.

This is true. We introduced this option to enable the end-system to make
queries about certificates when the CA certificate is not (at least at
the point of this check) known. Therefore, we allowed to "omit" the CA
public key (resp. the hash) in the query. The hash is, of course,
required in the reply.

>     Does anybody know more about whether the statement above
> is true or not? If it is, I am concened that they might not be
> using OCSP correctly.

We had to extend the functionality (it was mid 1998 if I remember
correctly). OCSP supports (supported) only the CRL-like "CRL on-line"
design. We needed (as Hans has written)

1. Certificate was created, is in the service since T, and is not
revoked
2. Certificate was created, is in the service since T, and is revoked
3. Certificate is unknown

which was not possible with then the OCSP.

Andreas Berger
GMD Darmstadt
-- 
Keine Zeit haben wir genug!

References:
- German Law and OCSP
  - From: Ambarish Malpani

Prev by Date: Re: CRMF support
Next by Date: New USA and INTERNATIONAL Merchant Accounts
Previous by thread: German Law and OCSP
Next by thread: RE: German Law and OCSP
Index(es):
- Date
- Thread