[caops-wg] OCSP document - proxies and delta CRLs
Olle Mulmo
mulmo at pdc.kth.se
Tue May 31 06:35:21 CDT 2005
> * Page 7, section 5.5: the paragraph suggesting the use of Delta CRLs
> to obtain Proxy Certificate´s status has been deleted ("Another option
> refers to using OCSP in a Push Operation Mode as mentioned in section
> 6.3, where relying parties SHOULD obtain revocation information
> through its OCSP service provider as soon as it is updated by the
> corresponding CA through Delta-CRLs"). Only as a way to let the reader
> know about this possibility, don't you think that it is worth to keep?
For an EE to "register" a proxy certificate with an OCSP responder, we
will require a protocol, and/or extensions to an existing protocol. Why
cannot the "disabling" of a previously registered proxy cert use the
same channel?
The two operations are about making changes to the responder's
revocation database, so for me it makes sense to have them tightly
coupled.
I don't rule out the use of Delta CRLs, but a Delta must be built
relative to a full CRL, which must be referenced. What is the full CRL
of an EE? In addition, support would have to be added in the responder
validation routines to allow EE (or proxies thereof?) certs to sign
CRLs. Overall, this smells too much of a hack to me.
/Olle
More information about the caops-wg
mailing list