A mighty fortress is our PKI, Part II
Paul Tiemann
paul.tiemann.usenet at gmail.com
Wed Jul 28 16:17:08 EDT 2010
On Jul 28, 2010, at 9:51 AM, Peter Gutmann wrote:
> Nicolas Williams <Nicolas.Williams at oracle.com> writes:
>
>> Exactly. OCSP can work in that manner. CRLs cannot.
>
> OCSP only appears to work in that manner. Since OCSP was designed to be 100%
> bug-compatible with CRLs, it's really an OCQP (online CRL query protocol) and
> not an OCSP.
This isn't true for all OCSP services. For example, DigiCert's is not CRL based, so it really can say "Yes" and it really can say "Unknown" meaningfully.
> (For people not familiar with OCSP, it can't say "yes" because a CRL can't say
> "yes" either, all it can say is "not on the CRL", and it can't say "no" for
> the same reason, all it can say is "not on the CRL". The ability to say
> "vslid certificate" or "not valid certificate" was explicitly excluded from
> OCSP because that's not how things are supposed to be done).
True for off-the-shelf OCSP responders that base themselves on CRL.
Paul Tiemann
(DigiCert)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list