[cabfpub] Fwd: [pkix] Straw-poll on OCSP responses for non-revoked certificates.

Rob Stradling rob.stradling at comodo.com
Thu Nov 1 09:50:51 UTC 2012

On 31/10/12 20:44, Eddy Nigg (StartCom Ltd.) wrote:
> A revoked certificate can't be made valid ever after
> as long as it hasn't expired.

Eddy, I completely disagree.  RFC2560 very clearly states...

   "The "revoked" state indicates that the certificate has been revoked
    (either permanantly or temporarily (on hold))."

In other words, RFC2560-compliant OCSP _always_ has the option of 
changing a certificate's status from "revoked" to "good".

(Of course, if the same certificate has been permanently revoked on a 
CRL, it would probably be unwise to have OCSP report its status as 
"good".  However, given that the BRs allow CRLs to be optional, this 
won't always be an issue).

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list