Re: Generalizing the concept of id-pkix-ocsp-nocheck

[Russ Housley <housley@xxxxxxxxxx>]

Ambrish:

Are you suggesting that the replying party should blindly accept any 
certificate that contains this flag?  Or, are you suggesting that the flag 
indicates that no revocation information is available for the certificate?

Russ


At 09:26 PM 06/20/2000 -0700, Ambarish Malpani wrote:

> I was recently having a conversation with a collegue and he
> asked a question. Here goes:
>
> In OCSP, we have support the concept of a CA issuing a special
> certificate to an OCSP responder, allowing it to respond on its
> [the CA's] behalf with a special extended key usage flag.
>
> We also allow the CA to indicate that the responder's cert does
> not need to be validated by having it include the
> id-pkix-ocsp-nocheck extension in the responder's certificate.
>
> Why can't the concept of including an id-pkix-ocsp-nocheck
> extension in a certificate be extended to any arbitrary certificate
> to indicate that it doesn't need to be validated?
>
> If this makes sense, should this capability be specified in
> son-of-rfc2459?
>
> Comments?
>
> Ambarish
>
>
> ---------------------------------------------------------------------
> Ambarish Malpani
> Architect                                                650.567.5457
> ValiCert, Inc.                                  ambarish@valicert.com
> 339 N. Bernardo Ave.                          http://www.valicert.com
> Mountain View, CA 94043