[cabfpub] Notes of meeting, CA/Browser Forum, Gjøvik, Norway, 26-28 June 2012

y-iida at secom.co.jp y-iida at secom.co.jp
Fri Jul 13 04:59:59 UTC 2012

I see no answers and I take it as ``there are no such standards
at this moment''.  Maybe I'd better rephrase my questions.

* Which OCSP responder products are based on both
      the list of valid certificates
      the revocation list?
* Which CA products do the OCSP responder products above support?

Thanks in advance.

On 2012-07-09, I wrote:
>Thank you for your reply, Yngve.
>Some simple questions occurred to me.
>* Just like CRL, are there any standardized data format for the list
>  of valid certificates?
>* Are there any standardized protocols between CA and OCSP responder
>  (or generic client of CA) with the following functionalities?
>  + to get the list of (serial number of) valid (or all) certificates
>  or
>  + to ask whether a certificate with given serial number has been
>    issued or not
>Thanks in advance.
>>Therefore, in order to not respond "good" for an unknown certificate, the  
>>OCSP responder's responses need to be based on at least the combined list  
>>of valid certificates and the revocation list.
>>>Does it mean that OCSP responder implementations which:
>>>  1. read (only) CRL
>>>  2. check whether requested serial is in there
>>>  3. if there is, respond "Revoked"
>>>  4. if not, respond "Good"
>>>are not allowed?
>>>>8. BR Issues list.
>>>>It was decided to disallow the "Good" response in the case where the
>>>>OCSP responder for a particular CA does not know if that CA issued
>>>>the certificate.

More information about the Public mailing list