[caops-wg] OCSP section 4
Olle Mulmo
mulmo at pdc.kth.se
Tue May 31 06:25:01 CDT 2005
> 4.2 talks about CRL's, as does 7.3, but most of the rest of the
> doc seems to assume only OCSP will exist. For example, 4.7 suggests
> that
> In case the resulting status after an exhausted search is still
> an error or status Unknown, the client SHOULD interpret that as
> Revoked with revocationReason certificateHold (that is, a non-definite
> revocation state), unless otherwise configured.
This is a bit evil, yes. The recommended interpretation above should be
that of the client, after consulting ALL revocation sources, including
CRLs. All other parties should simply reply "unknown" when they run out
of options.
> Experience with Grid / openssl use of CRLs and Netscape's
> OCSP client suggest to me that network failure and OCSP responder
> timeout should be considered as "unknown - tryLayer"
> (we can agree to that - similar to 4.7).
Note that "tryLater" is an error code, whereas "unknown" is a
certificate status encoded in an otherwise perfectly fine and digitally
signed OCSP response. Two completely different things, in other words.
> 4.7 - discussion about delta CRL's.
4.7. is about error handling and the unknown status code. Do you mean
section 5.3 or 6.3?
> This seems to be a discussion about 2 recommendations:
> 1) CA's - publish your CRL's directly to the (some) OCSP responder(s)
> 2) use delta CRL's to reduce size
>
> Can we slim down those 2 paras to essentially say just that?
More information about the caops-wg
mailing list