[cabfpub] Fwd: [pkix] Straw-poll on OCSP responses for non-revoked certificates.

Rob Stradling rob.stradling at comodo.com
Thu Nov 1 02:50:51 MST 2012


On 31/10/12 20:44, Eddy Nigg (StartCom Ltd.) wrote:
<snip>
> A revoked certificate can't be made valid ever after
> as long as it hasn't expired.

Eddy, I completely disagree.  RFC2560 very clearly states...

   "The "revoked" state indicates that the certificate has been revoked
    (either permanantly or temporarily (on hold))."

In other words, RFC2560-compliant OCSP _always_ has the option of 
changing a certificate's status from "revoked" to "good".

(Of course, if the same certificate has been permanently revoked on a 
CRL, it would probably be unwise to have OCSP report its status as 
"good".  However, given that the BRs allow CRLs to be optional, this 
won't always be an issue).

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online



More information about the Public mailing list