[cabfpub] Fwd: [pkix] Straw-poll on OCSP responses for non-revoked certificates.

Rick Andrews Rick_Andrews at symantec.com
Wed Nov 7 18:25:50 UTC 2012

When I looked at the RFC some time ago, it seemed that suspension and resumption were only allowed in delta CRLs. I don’t know of any CAs or browsers that support delta CRLs.


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of i-barreira at izenpe.net
Sent: Wednesday, November 07, 2012 12:52 AM
To: eddy_nigg at startcom.org; public at cabforum.org
Subject: Re: [cabfpub] Fwd: [pkix] Straw-poll on OCSP responses for non-revoked certificates.

On the CRL you can suspend a certificate (the response is revoked) and turned it back to a good status and this is perfectly valid.

Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net<mailto:i-barreira at izenpe.net>

[cid:image001.png at 01CDBCD2.41F56E10]
ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna. KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por error le agradeceriamos que no hiciera uso de la informacion y que se pusiese en contacto con el remitente.

De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de Eddy Nigg (StartCom Ltd.)
Enviado el: miércoles, 31 de octubre de 2012 21:45
Para: public at cabforum.org
Asunto: Re: [cabfpub] Fwd: [pkix] Straw-poll on OCSP responses for non-revoked certificates.

On 10/31/2012 10:32 PM, From Ben Wilson:
If a modification of RFC 2560 allows an extension to change the meaning of a “1” response to something else.  It was you who said “[it] might be good, …, either due to migration and update time or other reasons (out-of-sync cor whatever).”

Yes, that's why I think using "Unknown" is the correct response and not revoked for those. A revoked certificate can't be made valid ever after as long as it hasn't expired. And "Unknown" != "Good".

However once a certificate was marked as revoked, in my opinion a client doesn't have to check again ever.


Eddy Nigg, COO/CTO

StartCom Ltd.<http://www.startcom.org>


startcom at startcom.org<xmpp:startcom at startcom.org>


Join the Revolution!<http://blog.startcom.org>


Follow Me<http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121107/d62dd1b8/attachment-0004.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 19121 bytes
Desc: image001.png
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121107/d62dd1b8/attachment-0004.png>

More information about the Public mailing list