[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IETF-PKIX] OCSP Status Information on a Certificate

To: IETF-PKIX@xxxxxxxxxxxxxxxx
Subject: Re: [IETF-PKIX] OCSP Status Information on a Certificate
From: "Alexei V. Vopilov" <alx@xxxxxxxxxxxx>
Date: Thu, 16 Apr 1998 01:38:13 +0400
Approved-by: "Alexei V. Vopilov" <alx@ELNET.MSK.RU>
Reply-to: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>
Sender: "IETF X.509-based public key infrastructure mailing list" <IETF-PKIX@xxxxxxxxxxxxxxxx>

=======Marc Branchaud posted:
[. . .]
:
:One thing this exercise has showed me is that "unknown cert" is really a
:useless response value, since it is either bogus or subsumed by other values
:(like "unknown CA").

Should "unknown" statuses be read as followed?

Revocation =  "NotAvailable" // cannot access to CRL information
              "UnknownCA"    // cannot access to unknown CA database
Expiration =  "NotAvailable" // cannot access to known CA database
_contents_
              "UnknownCA"    // cannot access to unknown CA database
Issued     =  "NotAvailable" // cannot access to known CA database _directory_
              "UnknownCA"    // cannot access to unknown CA database

Having this a Responder implementation can support only part of
specification without interoperability problems.
Note there is the difference between "NotAvailable" semantic for
Expiration and Issued statuses.

Note also that nothing (according to spec design)
prevents implementing an OCSP Responder by extending CRLs
issued by a CA (or by just ignoring them at all).

--Alexei

Follow-Ups:
- Re: [IETF-PKIX] OCSP Status Information on a Certificate
  - From: Marc Branchaud

Prev by Date: Re: [IETF-PKIX] Unencumbered PKIX Minutes (Was: RE: [IETF-PKIX] Draft LA Minutes)
Next by Date: Re: [IETF-PKIX] Draft LA Minutes
Previous by thread: Re: [IETF-PKIX] OCSP Status Information on a Certificate
Next by thread: Re: [IETF-PKIX] OCSP Status Information on a Certificate
Index(es):
- Date
- Thread