[cabfpub] Fwd: [pkix] Straw-poll on OCSP responses for non-revoked certificates.
Eddy Nigg (StartCom Ltd.)
eddy_nigg at startcom.org
Wed Oct 31 13:44:47 MST 2012
On 10/31/2012 10:32 PM, From Ben Wilson:
>
> If a modification of RFC 2560 allows an extension to change the
> meaning of a “1” response to something else. It was you who said
> “[it] might be good, …, either due to migration and update time or
> other reasons (out-of-sync cor whatever).”
>
Yes, that's why I think using "Unknown" is the correct response and not
revoked for those. A revoked certificate can't be made valid ever after
as long as it hasn't expired. And "Unknown" != "Good".
However once a certificate was marked as revoked, in my opinion a client
doesn't have to check again ever.
Regards
Signer: Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
XMPP: startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: Join the Revolution! <http://blog.startcom.org>
Twitter: Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cabforum.org/pipermail/public/attachments/20121031/ef6d52dc/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4540 bytes
Desc: S/MIME Cryptographic Signature
Url : http://cabforum.org/pipermail/public/attachments/20121031/ef6d52dc/attachment-0001.bin
More information about the Public
mailing list