[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Cached OCSP responses vs. single entry CRLs

To: <ietf-pkix@xxxxxxx>
Subject: RE: Cached OCSP responses vs. single entry CRLs
From: "Santosh Chokhani" <chokhani@xxxxxxxxxxxx>
Date: Wed, 10 Dec 2003 14:41:27 -0500
Importance: Normal
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Michael:

The standard requires the IDP to be critical and not the CRLDP.  If a client
does not process CRLDP, it will have to rely on a CRL.

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On
Behalf Of Michael Ströder
Sent: Wednesday, December 10, 2003 11:15 AM
To: Jean-Marc Desperrier
Cc: ietf-pkix@xxxxxxx
Subject: Re: Cached OCSP responses vs. single entry CRLs

Jean-Marc Desperrier wrote:
> 
> I'm a bit sceptic it really works,

So am I.

> but if the CRL's IDP is marked
> critical as it should, maybe a good number of client will duly reject 
> the CRL when they can not support that case.

I saw at least one widely-deployed software of a major vendor simply crash 
when CRL IDP was marked critical.

Ciao, Michael.

References:
- Re: Cached OCSP responses vs. single entry CRLs
  - From: Michael Ströder

Prev by Date: Re: OCSP in TLS handshake
Next by Date: RE: Cached OCSP responses vs. single entry CRLs
Previous by thread: Re: Cached OCSP responses vs. single entry CRLs
Next by thread: RE: Cached OCSP responses vs. single entry CRLs
Index(es):
- Date
- Thread