IETF Logo Mail Archive

Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15

"Piyush Jain" <piyush@ditenity.com> Tue, 02 April 2013 15:07 UTC

Return-Path: <piyush@ditenity.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05E6121F8BBC for <pkix@ietfa.amsl.com>; Tue, 2 Apr 2013 08:07:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pfst7Et9f3lW for <pkix@ietfa.amsl.com>; Tue, 2 Apr 2013 08:07:22 -0700 (PDT)
Received: from mail-ye0-f179.google.com (mail-ye0-f179.google.com [209.85.213.179]) by ietfa.amsl.com (Postfix) with ESMTP id 512DC21F8AD5 for <pkix@ietf.org>; Tue, 2 Apr 2013 08:07:22 -0700 (PDT)
Received: by mail-ye0-f179.google.com with SMTP id q7so68280yen.24 for <pkix@ietf.org>; Tue, 02 Apr 2013 08:07:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:content-type:content-transfer-encoding :x-mailer:thread-index:content-language:x-gm-message-state; bh=sGCGMt4B2qwhDiNp1zHKTehGnfFhhztK5SVOzEw76M0=; b=DlepJHjHGzr97s86bEa7886i9DhaUc9dLPtloHzy6V5lISjPpP4H8EUY5sde3wOHV1 /XrBITegWp1aVdyI3u72A9KiFOWpr9WIiA7WNFX1j8VwNZbnW3/LDKcpPA4Jo+SLsgXF foylW62J1ZqaqnPXaXDm3Na0/ZnTrvjDbgSQIRLzkJNslW0K/v/6VBEsAWIJbI77bXfq TEdc7IdF9gn8BWv9u1ybYCc9g7uFzMksHk5tgp5i1WjqJvNsfQKGok6pbk/NT4355TD2 f/82cf4dNAXkELBUZ67/vfrgG/oQTKV6hfNDg88jFk1RlGOSCkZ1XM8ubfwHdnvQWFIh HZEg==
X-Received: by 10.236.5.171 with SMTP id 31mr15032391yhl.26.1364915241413; Tue, 02 Apr 2013 08:07:21 -0700 (PDT)
Received: from hp13 (75-25-128-241.lightspeed.sjcpca.sbcglobal.net. [75.25.128.241]) by mx.google.com with ESMTPS id u19sm3545029yhh.15.2013.04.02.08.07.19 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 02 Apr 2013 08:07:20 -0700 (PDT)
From: Piyush Jain <piyush@ditenity.com>
To: 'Stefan Santesson' <stefan@aaa-sec.com>, 'Peter Rybar' <rybar@nbusr.sk>, sts@aaa-sec.com
References: <201304021436.r32EaC6i004048@mail.nbusr.sk> <CD80BD95.5F33A%stefan@aaa-sec.com>
In-Reply-To: <CD80BD95.5F33A%stefan@aaa-sec.com>
Date: Tue, 02 Apr 2013 08:07:11 -0700
Message-ID: <027401ce2fb3$c164e730$442eb590$@ditenity.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQEProC2JPlSiT0tQC023AhXyhR/U5pABzFA
Content-Language: en-us
X-Gm-Message-State: ALoCoQlHy1gP/wTwJ/iyr7WT/cM1oY6EI1U4JQa0S5BlnobK5CkyQE6YhCpTsJdLbGnPG5cIj72M
Cc: pkix@ietf.org
Subject: Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2013 15:07:23 -0000

> Those fields are not treated in any special way depending on what status
you
> provide in a response.
This statement is no longer true with 2560bis since OCSP is no longer
equivalent to CRLs

Excerpt from Section 4.2.2
~~~~~~~~~~~~~~~~~~~~
The thisUpdate and nextUpdate fields define a recommended validity interval.
This interval corresponds to the {thisUpdate, nextUpdate}  interval in CRLs.

  .....
Responses where the nextUpdate value   is not set are equivalent to a CRL
with no time for nextUpdate (see  Section 2.4).
End
~~~

In case of revoked for non-issued, thisUpdate should probably be the start
validity of CA certificate and next Update should be current time + skew.

-Piyush



> -----Original Message-----
> From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of
> Stefan Santesson
> Sent: Tuesday, April 02, 2013 8:55 AM
> To: Peter Rybar; sts@aaa-sec.com
> Cc: pkix@ietf.org
> Subject: Re: [pkix] review of draft-ietf-pkix-rfc2560bis-15
> 
> Peter,
> 
> Those fields are not treated in any special way depending on what status
you
> provide in a response.
> 
> /Stefan
> 
> 
> On 4/2/13 3:36 PM, "Peter Rybar" <rybar@nbusr.sk> wrote:
> 
> >Stefan,
> >
> >When revoked for "not-issued" is created by OCSP server then according
> >to actual rfc2560bis is unclear, what must be included in thisUpdate
> >and nextUpdate fields.
> >Rfc2560bis must also define rules for value of thisUpdate and
> >nextUpdate fields.
> >
> >
> >RFC 2560:
> >   - thisUpdate: The time at which the status being indicated is known
> >                 to be correct
> >   - nextUpdate: The time at or before which newer information will be
> >                 available about the status of the certificate
> >
> >
> >Peter
> >
> >_______________________________________________
> >pkix mailing list
> >pkix@ietf.org
> >https://www.ietf.org/mailman/listinfo/pkix
> 
> 
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix

v2.23.0 | Report a Bug | By Email