[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OCSP RFC and OCSP version 2 ID

To: Santosh Chokhani <chokhani@xxxxxxxxxxxx>
Subject: Re: OCSP RFC and OCSP version 2 ID
From: Denis Pinkas <Denis.Pinkas@xxxxxxxx>
Date: Wed, 16 Jan 2002 09:04:42 +0100
Cc: ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Integris. A Bull Company
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Santosh,

> Folks:
> 
> I am looking at both the RFC and version 2 ID for OCSP.  Each document
> contains statements that seem contradictory to me.  This relates to the
> meaning of nextUpdate field in the OCSP SingleResponse.  Some places each
> document states that:
> 
> "If nextUpdate is not set, the responder is indicating that newer
> revocation information is available all the time"
> 
> Other places each document states that:
> 
> "Responses where the nextUpdate value is not set are equivalent to a CRL
> with no time for nextUpdate"
> 
> Now, this appear contradictory to me since I do not interpret X.509 to
> imply that absence of nextUpdate field in CRL means near real-time CRL
> generation.
> 
> I assume that the above is editorial oversight and the authors of both the
> RFC and ID mean that for OCSP, absence of nextUpdate means newer
> revocation information is available all the time.

The OCSP RFC advertises thisUpdate and nextUpdate as:

   - thisUpdate: The time at which the status being indicated is known
                 to be correct

   - nextUpdate: The time at or before which newer information will be
                 available about the status of the certificate

At the time the document was written, the main mechanism to feed the
information to the OCSP server was to use CRLs. So it seems sensible to
think that these fields are copied from a CRL.

So I would say that "responses where the nextUpdate value is not set are
equivalent to a CRL with no time for nextUpdate" is the correct
interpretation.

Now the text could be clarified to say what this really means !

Section 5.1.2.5 (Next Update) from PKIX Part 1 does not say a word in that
case.

The general response is the "certificate policy will tell", in the same way
that when some extensions are absent, e.g. the CRL Distribution points, the
certificate policy will tell.

So I would certainly not interpret it as: "If nextUpdate is not set, the
responder is indicating that newer revocation information is available all
the time".

Denis 


> Santosh Chokhani
> CygnaCom Solutions, Inc.
> 7927 Jones Branch Drive, Suite 100 West
> McLean, VA 22102
> chokhani@xxxxxxxxxxxx
> (703) 270-3520  (703) 848-0960 (fax)
> www.cygnacom.com
> 
> Entrust CygnaCom

References:
- OCSP RFC and OCSP version 2 ID
  - From: Santosh Chokhani

Prev by Date: Re: Cautionary Period Straw Poll
Next by Date: Re: Cautionary Period Straw Poll
Previous by thread: OCSP RFC and OCSP version 2 ID
Next by thread: Re: OCSP RFC and OCSP version 2 ID
Index(es):
- Date
- Thread