[cabfpub] Notes of meeting, CA/Browser Forum, Gjøvik, Norway, 26-28 June 2012
y-iida at secom.co.jp
y-iida at secom.co.jp
Thu Jul 12 21:59:59 MST 2012
I see no answers and I take it as ``there are no such standards
at this moment''. Maybe I'd better rephrase my questions.
* Which OCSP responder products are based on both
the list of valid certificates
and
the revocation list?
* Which CA products do the OCSP responder products above support?
Thanks in advance.
--
iida
On 2012-07-09, I wrote:
>Thank you for your reply, Yngve.
>Some simple questions occurred to me.
>
>* Just like CRL, are there any standardized data format for the list
> of valid certificates?
>
>* Are there any standardized protocols between CA and OCSP responder
> (or generic client of CA) with the following functionalities?
> + to get the list of (serial number of) valid (or all) certificates
> or
> + to ask whether a certificate with given serial number has been
> issued or not
>
>Thanks in advance.
...
>>Therefore, in order to not respond "good" for an unknown certificate, the
>>OCSP responder's responses need to be based on at least the combined list
>>of valid certificates and the revocation list.
...
>>>Does it mean that OCSP responder implementations which:
>>> 1. read (only) CRL
>>> 2. check whether requested serial is in there
>>> 3. if there is, respond "Revoked"
>>> 4. if not, respond "Good"
>>>are not allowed?
...
>>>>8. BR Issues list.
...
>>>>It was decided to disallow the "Good" response in the case where the
>>>>OCSP responder for a particular CA does not know if that CA issued
>>>>the certificate.
More information about the Public
mailing list