[cabfpub] Notes of meeting, CA/Browser Forum, Gjøvik, Norway, 26-28 June 2012

y-iida at secom.co.jp y-iida at secom.co.jp
Mon Jul 9 04:54:19 UTC 2012


Thank you for your reply, Yngve.
Some simple questions occurred to me.

* Just like CRL, are there any standardized data format for the list
  of valid certificates?

* Are there any standardized protocols between CA and OCSP responder
  (or generic client of CA) with the following functionalities?
  + to get the list of (serial number of) valid (or all) certificates
  or
  + to ask whether a certificate with given serial number has been
    issued or not

Thanks in advance.
--
  iida

>Therefore, in order to not respond "good" for an unknown certificate, the  
>OCSP responder's responses need to be based on at least the combined list  
>of valid certificates and the revocation list.
...
>>Does it mean that OCSP responder implementations which:
>>  1. read (only) CRL
>>  2. check whether requested serial is in there
>>  3. if there is, respond "Revoked"
>>  4. if not, respond "Good"
>>are not allowed?
...
>>>8. BR Issues list.
...
>>>It was decided to disallow the "Good" response in the case where the
>>>OCSP responder for a particular CA does not know if that CA issued
>>>the certificate.



More information about the Public mailing list