[cabfpub] Fwd: [pkix] Straw-poll on OCSP responses for non-revoked certificates.

Rob Stradling rob.stradling at comodo.com
Thu Nov 1 13:20:43 UTC 2012


On 01/11/12 12:30, Eddy Nigg (StartCom Ltd.) wrote:
>
> On 11/01/2012 11:50 AM, From Rob Stradling:
>> On 31/10/12 20:44, Eddy Nigg (StartCom Ltd.) wrote:
>> <snip>
>>> A revoked certificate can't be made valid ever after
>>> as long as it hasn't expired.
>>
>> Eddy, I completely disagree.  RFC2560 very clearly states...
>>
>>   "The "revoked" state indicates that the certificate has been revoked
>>    (either permanantly or temporarily (on hold))."
>>
>> In other words, RFC2560-compliant OCSP _always_ has the option of
>> changing a certificate's status from "revoked" to "good".
>
> Considering that the BR disallows suspension of certificates, I believe
> the RFC in this respect isn't relevant.

Eddy, this thread is about a straw-poll over on the PKIX list. In that 
context, it is the BRs which are not relevant and RFC2560 which is relevant!

Also, the BRs only apply to server certificates, whereas the scope of 
OCSP is clearly wider than that.

> We might make this cleared, but this would be my interpretation (even
 > before the BR was adopted).

I presume you're talking about this clause from the BRs v1.1:
"13.2.4 Deletion of Entries
Revocation entries on a CRL or OCSP Response MUST NOT be removed until 
after the Expiry Date of the revoked Certificate."

That sentence, if read literally, is completely pointless.  If I remove 
or add or modify a CRL or OCSP Response in any way, I invalidate its 
signature and so clients will barf.  So even sillier is the fact that 
this sentence gives me permission to invalidate signatures on old CRLs 
and OCSP Responses after a certificate has expired!

If we assume that the intention of this sentence is to refer to 
successive CRLs and OCSP Responses which relate to the certificate in 
question, we need to know what "Revocation entries" means.  It's not 
listed in the Definitions.  I can imagine that some people might 
interpret "Revocation entries" to be referring only to those 
certificates that are intended to be permanently revoked, and not to 
certificates that are only intended to be "on hold" / "suspended".

So I agree that 13.2.4 would benefit from some clarification.

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online




More information about the Public mailing list