Re: Clarification request on RFC 2560

[Phil Griffin <phil.griffin@xxxxxxxxx>]

Denis Pinkas wrote:
> 
> In RFC 2560 section 4.2.1 (OCSP Response), we have
> 
> BasicOCSPResponse       ::= SEQUENCE {
>       tbsResponseData      ResponseData,
>       signatureAlgorithm   AlgorithmIdentifier,
>       signature            BIT STRING,
>       certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
> 
> Usually every ASN1 field is explained, but in that document the certs field
> is not explained.
> 
> Should that optional field be interpreted to carry a sequence of possibly
> useful certificates ?
> 
> Denis

That might be nice, but the big defect in this
ASN.1 is that there are two more or less "optional"
cases. One is when there are zero values of type 
Certificate, and the other when the OPTIONAL "certs"
component is absent. 

This could be fixed by defining or importing a type

   Certificates ::= SEQUENCE SIZE(1..MAX) OF Certificate

and changing the definition of type BasicOCSPResponse
to 

   BasicOCSPResponse       ::= SEQUENCE {
      tbsResponseData      ResponseData,
      signatureAlgorithm   AlgorithmIdentifier,
      signature            BIT STRING,
      certs                [0] EXPLICIT Certificates OPTIONAL
   }
 
This would also provide better semantic meaning when a
value of type "BasicOCSPResponse" was defined in a user
application using the new ASN.1 XML Value Notation.

Phil Griffin