[cabfpub] Fwd: [pkix] Straw-poll on OCSP responses for non-revoked certificates.

i-barreira at izenpe.net i-barreira at izenpe.net
Wed Nov 7 08:56:32 UTC 2012

Eddy, for the record, we do allow suspension. Some (maybe most) of European CAs allow suspension but mainly for QCs and not SSL certs, so BRs don´t apply. And when a cert is suspended a new CRL is generated (so it means that serial number is revoked), and the OCSP response is also revoked, when you un-suspend it, then, in the CRL does not appear and the OCSP response is good.



Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net




ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.


De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de Eddy Nigg (StartCom Ltd.)
Enviado el: jueves, 01 de noviembre de 2012 15:56
Para: public at cabforum.org
Asunto: Re: [cabfpub] Fwd: [pkix] Straw-poll on OCSP responses for non-revoked certificates.


On 11/01/2012 03:20 PM, From Rob Stradling: 

Eddy, this thread is about a straw-poll over on the PKIX list. In that context, it is the BRs which are not relevant and RFC2560 which is relevant! 

I realized that and suspension is defined. In practice, are there any CAs that have a policy defined for suspensions?

I presume you're talking about this clause from the BRs v1.1: 
"13.2.4 Deletion of Entries 
Revocation entries on a CRL or OCSP Response MUST NOT be removed until after the Expiry Date of the revoked Certificate." 

That sentence, if read literally, is completely pointless.  If I remove or add or modify a CRL or OCSP Response in any way, I invalidate its signature and so clients will barf.  So even sillier is the fact that this sentence gives me permission to invalidate signatures on old CRLs and OCSP Responses after a certificate has expired! 

Obviously nobody meant you modify an issued CRL, but the entries in the list MUST NOT be removed until the cert expires. Very clear in my opinion.

It's not listed in the Definitions.  I can imagine that some people might interpret "Revocation entries" to be referring only to those certificates that are intended to be permanently revoked, and not to certificates that are only intended to be "on hold" / "suspended". 

A revocation entry MUST NOT be removed, hence there is no such a thing "on hold" or "suspended"

So I agree that 13.2.4 would benefit from some clarification. 

Be my guest :-)




Eddy Nigg, COO/CTO


StartCom Ltd. <http://www.startcom.org> 


startcom at startcom.org


Join the Revolution! <http://blog.startcom.org> 


Follow Me <http://twitter.com/eddy_nigg> 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121107/25c63b29/attachment-0004.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 19121 bytes
Desc: image001.png
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121107/25c63b29/attachment-0004.png>

More information about the Public mailing list