Then the certificate policy under which the EE cert was issued is inappropriate for the use to which the certificate itself is being put. If the EE requires up-to-the-minute revocation information to be available to it's correspondents then it should make sure it is using a CA that can fulfil these requirements. Legality first, technology second.
I understand your point and I do agree with you that the policy is at the first place when setting up a CA.
Anyway I do not agree with you when you state that this is the only way, at least now that there is the OCSP. As I stated in my last email my question was about the best method of doing things was, but still I think the OCSP can behave better than the old CRL mechanisms, otherwise why implementing OCSP when the client could check the CRL by itself ?
Anyway thank to you all for sharing your point of view on the subject, although I assume I am the only one supporting this approach to the OCSP (right?) :-(
--o-------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] madwolf@xxxxxxxxxx
Tel.: +39 (0)59 270 094
http://www.openca.org Fax: +39 178 221 8225
http://openca.sourceforge.net Mobile: +39 (0)347 7222 365
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature