[cabfpub] Fwd: [pkix] Straw-poll on OCSP responses for non-revoked certificates.

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Thu Nov 1 12:30:54 UTC 2012

On 11/01/2012 11:50 AM, From Rob Stradling:
> On 31/10/12 20:44, Eddy Nigg (StartCom Ltd.) wrote:
> <snip>
>> A revoked certificate can't be made valid ever after
>> as long as it hasn't expired.
> Eddy, I completely disagree.  RFC2560 very clearly states...
>   "The "revoked" state indicates that the certificate has been revoked
>    (either permanantly or temporarily (on hold))."
> In other words, RFC2560-compliant OCSP _always_ has the option of 
> changing a certificate's status from "revoked" to "good".

Considering that the BR disallows suspension of certificates, I believe 
the RFC in this respect isn't relevant. We might make this cleared, but 
this would be my interpretation (even before the BR was adopted).

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121101/31f62b23/attachment-0004.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121101/31f62b23/attachment-0002.p7s>

More information about the Public mailing list