[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: OCSP concept question

To: Haaino.Beljaars@xxxxxxx
Subject: AW: OCSP concept question
From: tbeckmann@xxxxxxx
Date: Wed, 7 Aug 2002 11:03:06 +0200
Cc: ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

I am not an OCSP expert as well but fortunately yesterday I read something
about the structure of OCSP responses.
I cross checked it with RFC 2560.
There a sequence containing the revocationTime is defined.
Having in mind, that an OCSP responder does in general nothing else but
checking a CRL and forwarding the requested information I cannot see a
difference between the usage of CRLs and OCSP but the neccessity of retrieve
actual CRLs.

Regards

Thomas Beckmann
 -------------------------------------
 Thomas Beckmann
 Fachgruppenleiter PKI und Trustcenter
 SchlumbergerSema -
 Competence Center Informatik GmbH 
 Lohberg 10 - 49716 Meppen - Germany
 tel: +49 5931-805-242
 mobil: +49 170 2802 343  
 fax: +49 5931-842-242
 mail: Tbeckmann@xxxxxxx




> -----Ursprüngliche Nachricht-----
> Von: Haaino Beljaars [mailto:Haaino.Beljaars@xxxxxxx]
> Gesendet: Sonntag, 4. August 2002 15:48
> An: ietf-pkix@xxxxxxx
> Betreff: OCSP concept question
> 
> 
> 
> Hi,
> 
> Hopefully somebody can help me with the follwoing questions 
> and remarks:
> 
> I send a signed message to person A, person A checks the 
> status of my certificate on time T by an OCSP request, and 
> the status of my certificate is 'good' according to the OCSP 
> response. At time T+1 my certificate is revoked. Person A 
> checks my message again at time T+2.
> 
> Question: what does the OCSP responder give back as status at T+2 ?
> 
> * If the OCSP responder gives back 'revoked' at time T+2, 
> then that is correct at that moment in time, but it is wrong 
> when you look at the time(T) when the message was signed, 
> because the message was signed when the certificate status 
> was still good.
> 
> * If the OCSP responder gives back 'good': this indicates 
> that an OCSP has as a 'history' function. As far as I can 
> read this is not the case in the OCSP RFC.
> 
> If person A check the message against a CRL it would indicate 
> at time T+2 that the certificate was good at the moment of 
> signing, this is because a CRL contains time and date when a 
> certificate was revoked, but an OCSP response does not 
> contian that information.
> 
> According to this 'analysis' I get different answers 
> concerning the status of a certificate when I concult a CRL or OCSP?
> 
> Why doesn't an OCSP response contain date and time when a 
> certificate was revoked? 
> 
> And why doesn't an OCSP response contain a signed time? How 
> can I check that the time the OCSP responder gives back is correct?
> 
> Best regards,
> Haaino
>

Prev by Date: Re: OCSP concept question
Next by Date: RE: OCSP concept question
Previous by thread: I-D ACTION:draft-ietf-pkix-pr-tsa-02.txt
Next by thread: final version of PKIX minutes
Index(es):
- Date
- Thread