[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OCSP and LDAP

To: ietf-pkix@xxxxxxx
Subject: Re: OCSP and LDAP
From: Massimiliano Pala <madwolf@xxxxxxxxxxxxxxx>
Date: Mon, 06 Jan 2003 13:07:44 +0100
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: OpenCA
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20021130

Simon Tardell wrote:
[...]r this reason I need some more information rather than the only CRL.

No, if you want to remove the latency in the system that is related to
the issuance interval of your CRL, then you should issue CRLs
immediately as the revocation occurs.


But this, in some environment it is not possible. Let's say the
CA is in a timed controlled access, unavailable from 8pm to 8am
(for different reasons, i.e. security, lack of personnel, etc.. )
and a user asks for revocation at 9pm, should we let the certificate
being reported as valid till 8am ?

For this reason I need some additional information, my question was
about the presence of a standard describing where to store them
onto LDAP and if, to you, it could be better storing them on a
per certificate basis or in a single entry in the main organization
entry.

[ unknown ]

No. There is an unclear wording in RFC2560 that might lead the thoughts
in that direction. "unknown" means that the OCSP is unable or unwilling
to answer the revocation query (because it doesn't know the CA, or
because it doesn't have up to date revocation information or whatever).
A logical reaction to an "unknown" response is to go to some other OCSP
responder that might be better connected for the moment. If you confuse
the meaning of "unknown" to be an assertion (that the certificate was
indeed never issued) then that availability feature breaks down (at
least if you have the wrong kind of client). The OCSPv2 draft has a
better wording.


Quoting the RFC2560 << The "unknown" state indicates that the responder
doesn't know about the certificate being requested. >>. I was not saying
that the "unknown" means that the certificate has never being issued,
anyway how could the responder know which certificates have been issued ?
In this case the responder can';t be sure about the validity of a certificate
and it should, to me at least, therefore return an "unknown" status.

Because of these considerations I think the OCSP reponder needs additional
data besides the only CRL(s), although I know that this is a fast way of
having it working but this works only when the CRLs are immediately (in the
same second) issued after certificate revocation and this does not work in
environment when some human interaction (for example verification).

It seems, to me, just translating the CRLs in another format without adding
a real improvement to the validating process... I think the OCSP to be more
useful than this.

--

C'you,

Massimiliano Pala

--o-------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager]                madwolf@xxxxxxxxxx
                                                  Tel.:   +39 (0)59  270  094
http://www.openca.org                            Fax:    +39   178  221 8225
http://openca.sourceforge.net                    Mobile: +39 (0)347 7222 365

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- RE: OCSP and LDAP
  - From: Simon Tardell

References:
- RE: OCSP and LDAP
  - From: Simon Tardell

Prev by Date: RE: OCSP and LDAP
Next by Date: Re: OCSP and LDAP
Previous by thread: RE: OCSP and LDAP
Next by thread: RE: OCSP and LDAP
Index(es):
- Date
- Thread