[cabfpub] Notes of meeting, CA/Browser Forum, Gjøvik, Norway, 26-28 June 2012
y-iida at secom.co.jp
y-iida at secom.co.jp
Mon Jul 9 04:54:19 UTC 2012
Thank you for your reply, Yngve.
Some simple questions occurred to me.
* Just like CRL, are there any standardized data format for the list
of valid certificates?
* Are there any standardized protocols between CA and OCSP responder
(or generic client of CA) with the following functionalities?
+ to get the list of (serial number of) valid (or all) certificates
or
+ to ask whether a certificate with given serial number has been
issued or not
Thanks in advance.
--
iida
>Therefore, in order to not respond "good" for an unknown certificate, the
>OCSP responder's responses need to be based on at least the combined list
>of valid certificates and the revocation list.
...
>>Does it mean that OCSP responder implementations which:
>> 1. read (only) CRL
>> 2. check whether requested serial is in there
>> 3. if there is, respond "Revoked"
>> 4. if not, respond "Good"
>>are not allowed?
...
>>>8. BR Issues list.
...
>>>It was decided to disallow the "Good" response in the case where the
>>>OCSP responder for a particular CA does not know if that CA issued
>>>the certificate.
More information about the Public
mailing list