Bonsoir Rick,<div><br></div><div>If you don't allow resumption, then the certificate status stays revoked with certificateHold reason.</div><div><br></div><div>If you allow resumption but don't offer deltaCRLs, then you can't express this resumption (i.e. explicitely tell the certificate is now in a removeFromCRL state). But the certificate isn't revoked anymore and disappears from the complete CRL.</div>
<div><br></div><div>Nothing in the RFC or X.509 forbids suspension of certificates in complete CRLs. X.509 is again more clear on how to deal with it, here's an excerpt of clause 8.5.2.2 (200811 edition):</div><div><br>
</div><div>-----</div><div>
<p class="p1">Once a hold has been issued, it may be handled in one of three ways:</p>
<p class="p1">a)<span class="Apple-tab-span"> </span>it may remain on the CRL with no further action, causing users to reject transactions issued during the hold period; or,</p>
<p class="p1">b)<span class="Apple-tab-span"> </span>it may be replaced by a (final) revocation for the same certificate, in which case the reason shall be one of the standard reasons for revocation, the revocation date shall be the date the certificate was placed on hold, and the optional instruction code extension field shall not appear; or,</p>
<p class="p1">c)<span class="Apple-tab-span"> </span>it may be explicitly released and the entry removed from the CRL.</p></div><div>-----<br><br>Just after follows the description and use-case of removeFromCRL reason code.</div>
<div><br></div><div>(this email will be rejected by cabfpub because I'm not posting from work, can you manually forward it, please?)</div><div><br><br><div class="gmail_quote">2012/11/7 Rick Andrews <span dir="ltr"><<a href="mailto:Rick_Andrews@symantec.com" target="_blank">Rick_Andrews@symantec.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="white" lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Erwann,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I agree that resumption (removeFromCRL) is allowed only in delta CRLs, but I don’t understand your interpretation of the RFC. If you’re using full CRLs and you allow suspension but not resumption, then either<u></u><u></u></span></p>
<p style="margin-left:20.25pt"><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>(a)<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The cert must must remain suspended until it expires, or<u></u><u></u></span></p>
<p style="margin-left:20.25pt"><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><span>(b)<span style="font:7.0pt "Times New Roman""> </span></span></span><u></u><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">The cert status can change from suspended (certificateHold) to valid<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">If (a), why use certificateHold at all? Why not use one of the other revocation reasons?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">If (b), it seems that most people who have commented in this thread believe that should not be allowed.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">-Rick<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> <a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a> [mailto:<a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Erwann Abalea<br>
<b>Sent:</b> Wednesday, November 07, 2012 10:53 AM<br><b>To:</b> <a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a></span></p><div><div class="h5"><br><b>Subject:</b> Re: [cabfpub] Fwd: [pkix] Straw-poll on OCSP responses for non-revoked certificates.<u></u><u></u></div>
</div><p></p></div></div><div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">Resumption is necessary in deltaCRLs, and is only allowed in deltaCRLs.<br>Suspension is allowed in every type of CRLs.<br>
We produce deltaCRLs for some CAs but no public one.<br><br><br><u></u><u></u></p><pre>-- <u></u><u></u></pre><pre>Erwann ABALEA<u></u><u></u></pre><pre><u></u> <u></u></pre><p class="MsoNormal">Le 07/11/2012 19:25, Rick Andrews a écrit :<u></u><u></u></p>
</div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">When I looked at the RFC some time ago, it seemed that suspension and resumption were only allowed in delta CRLs. I don’t know of any CAs or browsers that support delta CRLs.</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">-Rick</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in"><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> <a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org" target="_blank">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b><a href="mailto:i-barreira@izenpe.net" target="_blank">i-barreira@izenpe.net</a><br>
<b>Sent:</b> Wednesday, November 07, 2012 12:52 AM<br><b>To:</b> <a href="mailto:eddy_nigg@startcom.org" target="_blank">eddy_nigg@startcom.org</a>; <a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] Fwd: [pkix] Straw-poll on OCSP responses for non-revoked certificates.</span><u></u><u></u></p></div></div><p class="MsoNormal"> <u></u><u></u></p><p class="MsoNormal"><span lang="ES" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">On the CRL you can suspend a certificate (the response is revoked) and turned it back to a good status and this is perfectly valid.</span><u></u><u></u></p>
<p class="MsoNormal"><span lang="ES" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><div><p class="MsoNormal" style="line-height:9.75pt"><b><span lang="ES-TRAD" style="font-size:8.5pt;font-family:"Tahoma","sans-serif""> </span></b><u></u><u></u></p>
<p class="MsoNormal" style="line-height:9.75pt"><b><span lang="ES-TRAD" style="font-size:8.5pt;font-family:"Tahoma","sans-serif"">Iñigo Barreira</span></b><span lang="ES-TRAD" style="font-size:8.5pt;font-family:"Tahoma","sans-serif""><br>
Responsable del Área técnica<br><a href="mailto:i-barreira@izenpe.net" target="_blank">i-barreira@izenpe.net</a></span><u></u><u></u></p><p class="MsoNormal"><span lang="ES-TRAD" style="font-size:8.5pt;font-family:"Tahoma","sans-serif"">945067705</span><u></u><u></u></p>
<p class="MsoNormal"><span lang="ES-TRAD" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><p class="MsoNormal"><span lang="ES" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><img border="0" width="585" height="111" src="cid:image001.png@01CDBCEC.FB4C0760"></span><u></u><u></u></p>
<p class="MsoNormal" style="line-height:9.75pt"><span lang="ES" style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888">ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!</span><span lang="ES" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#888888"><br>
</span><span lang="ES" style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#888888">ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.</span><u></u><u></u></p>
</div><p class="MsoNormal"><span lang="ES" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span><u></u><u></u></p><div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span lang="ES" style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">De:</span></b><span lang="ES" style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"> <a href="mailto:public-bounces@cabforum.org" target="_blank">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org" target="_blank">mailto:public-bounces@cabforum.org</a>] <b>En nombre de </b>Eddy Nigg (StartCom Ltd.)<br>
<b>Enviado el:</b> miércoles, 31 de octubre de 2012 21:45<br><b>Para:</b> <a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a><br><b>Asunto:</b> Re: [cabfpub] Fwd: [pkix] Straw-poll on OCSP responses for non-revoked certificates.</span><u></u><u></u></p>
</div></div><p class="MsoNormal"><span lang="ES"> </span><u></u><u></u></p><p class="MsoNormal"><span lang="ES"><br>On 10/31/2012 10:32 PM, From Ben Wilson: </span><u></u><u></u></p><p class="MsoNormal"><span lang="ES" style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">If a modification of RFC 2560 allows an extension to change the meaning of a “1” response to something else. It was you who said “[it] might be good, …, either due to migration and update time or other reasons (out-of-sync cor whatever).”</span><u></u><u></u></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="ES"><br>Yes, that's why I think using "Unknown" is the correct response and not revoked for those. A revoked certificate can't be made valid ever after as long as it hasn't expired. And "Unknown" != "Good".<br>
<br>However once a certificate was marked as revoked, in my opinion a client doesn't have to check again ever.</span><u></u><u></u></p><div><table border="0" cellspacing="0" cellpadding="0"><tbody><tr><td colspan="2" style="padding:0in 0in 0in 0in">
<p class="MsoNormal">Regards <u></u><u></u></p></td></tr><tr><td colspan="2" style="padding:0in 0in 0in 0in"><p class="MsoNormal"> <u></u><u></u></p></td></tr><tr><td style="padding:0in 0in 0in 0in"><p class="MsoNormal">Signer: <u></u><u></u></p>
</td><td style="padding:0in 0in 0in 0in"><p class="MsoNormal">Eddy Nigg, COO/CTO<u></u><u></u></p></td></tr><tr><td style="padding:0in 0in 0in 0in"><p class="MsoNormal"> <u></u><u></u></p></td><td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><a href="http://www.startcom.org" target="_blank">StartCom Ltd.</a><u></u><u></u></p></td></tr><tr><td style="padding:0in 0in 0in 0in"><p class="MsoNormal">XMPP: <u></u><u></u></p></td><td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><a>startcom@startcom.org</a><u></u><u></u></p></td></tr><tr><td style="padding:0in 0in 0in 0in"><p class="MsoNormal">Blog: <u></u><u></u></p></td><td style="padding:0in 0in 0in 0in"><p class="MsoNormal">
<a href="http://blog.startcom.org" target="_blank">Join the Revolution!</a><u></u><u></u></p></td></tr><tr><td style="padding:0in 0in 0in 0in"><p class="MsoNormal">Twitter: <u></u><u></u></p></td><td style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><a href="http://twitter.com/eddy_nigg" target="_blank">Follow Me</a><u></u><u></u></p></td></tr><tr><td colspan="2" style="padding:0in 0in 0in 0in"><p class="MsoNormal"> <u></u><u></u></p></td></tr></tbody></table>
</div><p class="MsoNormal"><span lang="ES"> </span><u></u><u></u></p></div><p class="MsoNormal"><br><br><br><u></u><u></u></p><pre>_______________________________________________<u></u><u></u></pre><pre>Public mailing list<u></u><u></u></pre>
<pre><a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><u></u><u></u></pre><pre><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><u></u><u></u></pre>
</blockquote><p class="MsoNormal"><u></u> <u></u></p></div></div></div></div></div><br>_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Erwann.<br>
</div>