[cabfpub] Fwd: [pkix] Straw-poll on OCSP responses for non-revoked certificates.
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Tue Oct 30 16:06:08 MST 2012
On 10/30/2012 11:47 PM, From Eddy Nigg (StartCom Ltd.):
> Neither - an OCSP responder should respond with "Unknown" or
> "Unauthorized" in case the certificate is unknown. Or either "Good" or
> "Revoked" for known ones.
>
> Rational - responding "Revoked" for a certificate that might be good,
> is incorrect, either due to migration and update time or other reasons
> (out-of-sync cor whatever). Clients may cache revoked responses
> forever, revoked certificates are never unrevoked.
I hope the folks from the PKIX forum follow the CAB Forum public list -
it wasn't obvious to me that this mail was forwarded. Well, well... :-)
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cabforum.org/pipermail/public/attachments/20121031/a587a82f/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
Url : http://cabforum.org/pipermail/public/attachments/20121031/a587a82f/attachment.bin
More information about the Public
mailing list