Re: [IETF-PKIX] OCSP Status Information on a Certificate

[Ambarish Malpani <ambarish@xxxxxxxxxxxx>]

Hi Paul,
    If a responder is working off CRLs, it can't tell whether a
certificate
was ever issued or not. So I would strongly oppose making issued a
mandatory field (except if you allow it to have a dontKnow value).

    Again, I do question why the client can't figure out for itself
whether
that certificate was issued or not.

Ambarish


Paul Hoffman / IMC wrote:
>
> At 08:48 AM 4/17/98 -0700, you wrote:
> >And in the event a client receives {is revoked, not issued}, which
> >dominates?  Similarly, {not revoked, not issued}.  I remain unconvinced this
> >is no problem.
>
> To the client, "not issued" is always more important than revoked or not
> revoked. We can put that in the OCSP spec.
>
> >As soon as OCSP clients are out there in any volume, there
> >are those who will seek to determine the client's behavior in fringe cases.
>
> I fully agree. That's why I'm I don't think that issued/not issued should
> be a MAY: I think it has to be a MUST. We can be sure that some clients
> will blow the comparison unless they are always told whether or not the
> cert was even issued.
>
> --Paul Hoffman, Director
> --Internet Mail Consortium

--
---------------------------------------------------------------------
Ambarish Malpani
Architect                                              (650) 849-9880
ValiCert, Inc.                                  ambarish@valicert.com
3160 W. Bayshore Road                         http://www.valicert.com
Palo Alto, CA 94303