[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: OCSP follow up

To: "Ambarish Malpani" <ambarish@xxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>
Subject: RE: OCSP follow up
From: "Haaino Beljaars" <Haaino.Beljaars@xxxxxxx>
Date: Tue, 30 Jul 2002 13:52:20 +0200
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AcI2yoK3l98xYL1VR7aLcy0HrmZVWAA81f71
Thread-topic: OCSP

Hi everybody,
 
I have a follow-up question about OCSP.
 
I send a seigned message to person A, person A checks the status of my certificate on time I by an OCSP responder, and the status of my certificate is 'good'. At time II, time after I, my certificate is revoked. Person A checks my message again at time III, time III is after time II. 
 
Question: what is the response of the OCSP responder at time III ? 
If the OCSP responder gives back 'revoked' at time III, isn't this incorrect? If the OCSP responder gives back 'good', this implies that the OCSP keeps some sort of a history?
If person A check your message against a CRL it would indicate at time III that the certificate was good at the moment of signing.
 
A general question in this all: why doens't the OCSP RFC have any angles with signed time? Or am I mistaken? Or have any 'history' possibilities? Keeping al this in mind, is it possible to only use OCSP and not CRL? Is it wise only to use OCSP and not CRL?
 
From: Ambarish Malpani:
 
>    There is nothing that says a responder must get all its
>information from a CRL.

>Other ways for a responder to get its information (for example) are:
>- direct access to a CA's database which could contain up-to-date
>        information about the status of all certificates
>- special notifications provided to the responder (e.g. by the RA/
>        other authorized parties) to give it up to date information
>        (while a CA might be down/unavailable).

>There is nothing in the spec that requires you to be able to verify
>the responses from a responder against a CRL. So there is no
>guarantee that you can verify a responder's responses in an
>independent way.

>> I'm just wondering where, according to the RCF, the OCSP
>> responder may get his information besides a CRL? May an OCSP
>> responder get his information from a list of
>> to-be-published-certificates-on-the-crl? If so, how can an
>> entity check the validity of an OCSP respondes if the source
>> of the OCSP responder is a system he/she cannot check?
>> Which ways are open to an OCSP responder to retrieve
>> information about certificates? May those 'ways' also contain
>> proprietary means?
>> Should a responds by an OCSP responder always be in such a
>> way that it can be validated without the use of an OCSP
>> responder, this implies that an OCSP responder can only use a
>> CRL as a basis of his response or any other public way?

Best regards,
Haaino

Follow-Ups:
- Re: OCSP follow up
  - From: David Maurus

Prev by Date: Re: Wireless LAN Certificate Extensions
Next by Date: I-D ACTION:draft-ietf-pkix-scvp-09.txt
Previous by thread: I-D ACTION:draft-ietf-pkix-roadmap-09.txt
Next by thread: Re: OCSP follow up
Index(es):
- Date
- Thread