[cabfpub] Fwd: [pkix] Straw-poll on OCSP responses for non-revoked certificates.
Rob Stradling
rob.stradling at comodo.com
Thu Nov 1 13:20:43 UTC 2012
On 01/11/12 12:30, Eddy Nigg (StartCom Ltd.) wrote:
>
> On 11/01/2012 11:50 AM, From Rob Stradling:
>> On 31/10/12 20:44, Eddy Nigg (StartCom Ltd.) wrote:
>> <snip>
>>> A revoked certificate can't be made valid ever after
>>> as long as it hasn't expired.
>>
>> Eddy, I completely disagree. RFC2560 very clearly states...
>>
>> "The "revoked" state indicates that the certificate has been revoked
>> (either permanantly or temporarily (on hold))."
>>
>> In other words, RFC2560-compliant OCSP _always_ has the option of
>> changing a certificate's status from "revoked" to "good".
>
> Considering that the BR disallows suspension of certificates, I believe
> the RFC in this respect isn't relevant.
Eddy, this thread is about a straw-poll over on the PKIX list. In that
context, it is the BRs which are not relevant and RFC2560 which is relevant!
Also, the BRs only apply to server certificates, whereas the scope of
OCSP is clearly wider than that.
> We might make this cleared, but this would be my interpretation (even
> before the BR was adopted).
I presume you're talking about this clause from the BRs v1.1:
"13.2.4 Deletion of Entries
Revocation entries on a CRL or OCSP Response MUST NOT be removed until
after the Expiry Date of the revoked Certificate."
That sentence, if read literally, is completely pointless. If I remove
or add or modify a CRL or OCSP Response in any way, I invalidate its
signature and so clients will barf. So even sillier is the fact that
this sentence gives me permission to invalidate signatures on old CRLs
and OCSP Responses after a certificate has expired!
If we assume that the intention of this sentence is to refer to
successive CRLs and OCSP Responses which relate to the certificate in
question, we need to know what "Revocation entries" means. It's not
listed in the Definitions. I can imagine that some people might
interpret "Revocation entries" to be referring only to those
certificates that are intended to be permanently revoked, and not to
certificates that are only intended to be "on hold" / "suspended".
So I agree that 13.2.4 would benefit from some clarification.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list