RE: OCSP

[Ambarish Malpani <ambarish@xxxxxxxxxxxx>]

Hi Haaino,
    There is nothing that says a responder must get all its
information from a CRL.

Other ways for a responder to get its information (for example) are:
- direct access to a CA's database which could contain up-to-date
	information about the status of all certificates
- special notifications provided to the responder (e.g. by the RA/
	other authorized parties) to give it up to date information
	(while a CA might be down/unavailable).

There is nothing in the spec that requires you to be able to verify
the responses from a responder against a CRL. So there is no
guarantee that you can verify a responder's responses in an
independent way.

Hope this helps,
Regards,
Ambarish

---------------------------------------------------------------------
Ambarish Malpani
Chief Architect                                          650.567.5457
ValiCert, Inc.                                  ambarish@xxxxxxxxxxxx
1215 Terra Bella Ave.                         http://www.valicert.com
Mountain View, CA 94043


> -----Original Message-----
> From: Haaino Beljaars [mailto:Haaino.Beljaars@xxxxxxx]
> Sent: Sunday, July 28, 2002 11:39 AM
> To: ietf-pkix@xxxxxxx
> Subject: OCSP
> 
> 
> 
> Hi,
> 
> I'm just wondering where, according to the RCF, the OCSP 
> responder may get his information besides a CRL? May an OCSP 
> responder get his information from a list of 
> to-be-published-certificates-on-the-crl? If so, how can an 
> entity check the validity of an OCSP respondes if the source 
> of the OCSP responder is a system he/she cannot check? 
> Which ways are open to an OCSP responder to retrieve 
> information about certificates? May those 'ways' also contain 
> proprietary means?
> Should a responds by an OCSP responder always be in such a 
> way that it can be validated without the use of an OCSP 
> responder, this implies that an OCSP responder can only use a 
> CRL as a basis of his response or any other public way?
> 
> Best regards,
> Haaino
>