A mighty fortress is our PKI, Part II

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Jul 28 11:51:33 EDT 2010


Nicolas Williams <Nicolas.Williams at oracle.com> writes:

>Exactly.  OCSP can work in that manner.  CRLs cannot.

OCSP only appears to work in that manner.  Since OCSP was designed to be 100% 
bug-compatible with CRLs, it's really an OCQP (online CRL query protocol) and 
not an OCSP.  Specifically, if I submit a freshly-issued, valid certificate to 
an OCSP responder and ask "is this a valid certificate" then it can't say yes, 
and if I submit an Excel spreadsheet to an OCSP responder and ask "is this a 
valid certificate" then it can't say no.  It takes quite some effort to design 
an online certificate status protocol that's that broken.

(For people not familiar with OCSP, it can't say "yes" because a CRL can't say 
"yes" either, all it can say is "not on the CRL", and it can't say "no" for 
the same reason, all it can say is "not on the CRL".  The ability to say 
"vslid certificate" or "not valid certificate" was explicitly excluded from 
OCSP because that's not how things are supposed to be done).

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list