[cabfpub] Fwd: [pkix] Straw-poll on OCSP responses for non-revoked certificates.

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Thu Nov 1 14:55:36 UTC 2012

On 11/01/2012 03:20 PM, From Rob Stradling:
> Eddy, this thread is about a straw-poll over on the PKIX list. In that 
> context, it is the BRs which are not relevant and RFC2560 which is 
> relevant!

I realized that and suspension is defined. In practice, are there any 
CAs that have a policy defined for suspensions?

> I presume you're talking about this clause from the BRs v1.1:
> "13.2.4 Deletion of Entries
> Revocation entries on a CRL or OCSP Response MUST NOT be removed until 
> after the Expiry Date of the revoked Certificate."
> That sentence, if read literally, is completely pointless.  If I 
> remove or add or modify a CRL or OCSP Response in any way, I 
> invalidate its signature and so clients will barf.  So even sillier is 
> the fact that this sentence gives me permission to invalidate 
> signatures on old CRLs and OCSP Responses after a certificate has 
> expired!

Obviously nobody meant you modify an issued CRL, but the entries in the 
list MUST NOT be removed until the cert expires. Very clear in my opinion.

> It's not listed in the Definitions.  I can imagine that some people 
> might interpret "Revocation entries" to be referring only to those 
> certificates that are intended to be permanently revoked, and not to 
> certificates that are only intended to be "on hold" / "suspended".

A revocation entry MUST NOT be removed, hence there is no such a thing 
"on hold" or "suspended"

> So I agree that 13.2.4 would benefit from some clarification.

Be my guest :-)

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121101/c6d9dfd7/attachment-0004.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121101/c6d9dfd7/attachment-0002.p7s>

More information about the Public mailing list