[cabfpub] Fwd: [pkix] Straw-poll on OCSP responses for non-revoked certificates.
Rob Stradling
rob.stradling at comodo.com
Thu Nov 1 02:50:51 MST 2012
On 31/10/12 20:44, Eddy Nigg (StartCom Ltd.) wrote:
<snip>
> A revoked certificate can't be made valid ever after
> as long as it hasn't expired.
Eddy, I completely disagree. RFC2560 very clearly states...
"The "revoked" state indicates that the certificate has been revoked
(either permanantly or temporarily (on hold))."
In other words, RFC2560-compliant OCSP _always_ has the option of
changing a certificate's status from "revoked" to "good".
(Of course, if the same certificate has been permanently revoked on a
CRL, it would probably be unwise to have OCSP report its status as
"good". However, given that the BRs allow CRLs to be optional, this
won't always be an issue).
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list