[cabfpub] Fwd: [pkix] Straw-poll on OCSP responses for non-revoked certificates.
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Thu Nov 1 14:55:36 UTC 2012
On 11/01/2012 03:20 PM, From Rob Stradling:
> Eddy, this thread is about a straw-poll over on the PKIX list. In that
> context, it is the BRs which are not relevant and RFC2560 which is
> relevant!
I realized that and suspension is defined. In practice, are there any
CAs that have a policy defined for suspensions?
> I presume you're talking about this clause from the BRs v1.1:
> "13.2.4 Deletion of Entries
> Revocation entries on a CRL or OCSP Response MUST NOT be removed until
> after the Expiry Date of the revoked Certificate."
>
> That sentence, if read literally, is completely pointless. If I
> remove or add or modify a CRL or OCSP Response in any way, I
> invalidate its signature and so clients will barf. So even sillier is
> the fact that this sentence gives me permission to invalidate
> signatures on old CRLs and OCSP Responses after a certificate has
> expired!
Obviously nobody meant you modify an issued CRL, but the entries in the
list MUST NOT be removed until the cert expires. Very clear in my opinion.
> It's not listed in the Definitions. I can imagine that some people
> might interpret "Revocation entries" to be referring only to those
> certificates that are intended to be permanently revoked, and not to
> certificates that are only intended to be "on hold" / "suspended".
A revocation entry MUST NOT be removed, hence there is no such a thing
"on hold" or "suspended"
> So I agree that 13.2.4 would benefit from some clarification.
Be my guest :-)
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121101/c6d9dfd7/attachment-0004.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121101/c6d9dfd7/attachment-0002.p7s>
More information about the Public
mailing list