[caops-wg] OCSP document - proxies and delta CRLs

[Olle Mulmo]

> * Page 7, section 5.5: the paragraph suggesting the use of Delta CRLs 
> to obtain Proxy Certificate´s status has been deleted ("Another option 
> refers to using OCSP in a Push Operation Mode as mentioned in section 
> 6.3, where relying parties SHOULD obtain revocation information 
> through its OCSP service provider as soon as it is updated by the 
> corresponding CA through Delta-CRLs"). Only as a way to let the reader 
> know about this possibility, don't you think that it is worth to keep?

For an EE to "register" a proxy certificate with an OCSP responder, we 
will require a protocol, and/or extensions to an existing protocol. Why 
cannot the "disabling" of a previously registered proxy cert use the 
same channel?

The two operations are about making changes to the responder's 
revocation database, so for me it makes sense to have them tightly 
coupled.

I don't rule out the use of Delta CRLs, but a Delta must be built 
relative to a full CRL, which must be referenced. What is the full CRL 
of an EE? In addition, support would have to be added in the responder 
validation routines to allow EE (or proxies thereof?) certs to sign 
CRLs. Overall, this smells too much of a hack to me.

/Olle