RE: OCSP and LDAP

["Simon Tardell" <simon@xxxxxxxxxx>]

> Ambarish Malpani wrote:
> > Hi Massimiliano,
> >     You should seriously consider having your responder work off a 
> > CA's CRL, rather than trying to access its database directly.
> 
> Well, our approach is towards the usage of an off-line CA so 
> my problem is that usually the CRL could be not up to date to 
> the latest status of the certificate (let's say a user 
> request its certificate to be revoked, from this time to the 
> time the CRL will be issued there could be a time gap during 
> which I want the certificate to be reported as invalid -- 
> let's say with the onHold reason).
> 
> For this reason I need some more information rather than the only CRL.

No, if you want to remove the latency in the system that is related to
the issuance interval of your CRL, then you should issue CRLs
immediately as the revocation occurs.
 
> There is another question about this approach: if the client 
> request the status of one certificate with a serial that is 
> not within the CRL, should not the responder check for it 
> (i.e. its existance?) and if it does not have informations 
> about it return an "unknown" answer ?

No. There is an unclear wording in RFC2560 that might lead the thoughts
in that direction. "unknown" means that the OCSP is unable or unwilling
to answer the revocation query (because it doesn't know the CA, or
because it doesn't have up to date revocation information or whatever).
A logical reaction to an "unknown" response is to go to some other OCSP
responder that might be better connected for the moment. If you confuse
the meaning of "unknown" to be an assertion (that the certificate was
indeed never issued) then that availability feature breaks down (at
least if you have the wrong kind of client). The OCSPv2 draft has a
better wording.
 
Simon

Simon Tardell, cell +46 70 3198319, simon@xxxxxxxxxx