A mighty fortress is our PKI, Part II

Nicolas Williams Nicolas.Williams at oracle.com
Wed Jul 28 12:02:29 EDT 2010


On Thu, Jul 29, 2010 at 03:51:33AM +1200, Peter Gutmann wrote:
> Nicolas Williams <Nicolas.Williams at oracle.com> writes:
> 
> >Exactly.  OCSP can work in that manner.  CRLs cannot.
> 
> OCSP only appears to work in that manner.  Since OCSP was designed to be 100% 
> bug-compatible with CRLs, it's really an OCQP (online CRL query protocol) and 
> not an OCSP.  Specifically, if I submit a freshly-issued, valid certificate to 
> an OCSP responder and ask "is this a valid certificate" then it can't say yes, 
> and if I submit an Excel spreadsheet to an OCSP responder and ask "is this a 
> valid certificate" then it can't say no.  It takes quite some effort to design 
> an online certificate status protocol that's that broken.
> 
> (For people not familiar with OCSP, it can't say "yes" because a CRL can't say 
> "yes" either, all it can say is "not on the CRL", and it can't say "no" for 
> the same reason, all it can say is "not on the CRL".  The ability to say 
> "vslid certificate" or "not valid certificate" was explicitly excluded from 
> OCSP because that's not how things are supposed to be done).

Sorry, but this is wrong.  The OCSP protocol itself really is an online
certificate status protocol.  Responder implementations may well be
based on checking CRLs, but they aren't required to be.

Don't be confused by the fact that OCSP borrows some elements from CRLs.

Nico
-- 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list