Re: [pkix] Straw-poll on OCSP responses for non-revoked certificates.

"Miller, Timothy J." <tmiller@mitre.org> Tue, 30 October 2012 14:07 UTC

Return-Path: <tmiller@mitre.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC4F821F8519 for <pkix@ietfa.amsl.com>; Tue, 30 Oct 2012 07:07:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u4bHxbYC34Qz for <pkix@ietfa.amsl.com>; Tue, 30 Oct 2012 07:07:27 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id CF01921F848B for <pkix@ietf.org>; Tue, 30 Oct 2012 07:07:27 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 20C491F072E; Tue, 30 Oct 2012 10:07:27 -0400 (EDT)
Received: from IMCCAS02.MITRE.ORG (imccas02.mitre.org [129.83.29.79]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 0C60D1F05F0; Tue, 30 Oct 2012 10:07:27 -0400 (EDT)
Received: from IMCMBX01.MITRE.ORG ([169.254.1.132]) by IMCCAS02.MITRE.ORG ([129.83.29.69]) with mapi id 14.02.0318.004; Tue, 30 Oct 2012 10:07:26 -0400
From: "Miller, Timothy J." <tmiller@mitre.org>
To: 'Art Allison' <AAllison@nab.org>, "pkix@ietf.org" <pkix@ietf.org>
Thread-Topic: [pkix] Straw-poll on OCSP responses for non-revoked certificates.
Thread-Index: AQHNtqblMgNdLLPinE+jI++DAIupIpfR4djw
Date: Tue, 30 Oct 2012 14:07:26 +0000
Message-ID: <195DB2510AAA004391F58E28FCE21200066E2071@IMCMBX01.MITRE.ORG>
References: <CCB55CA3.52588%stefan@aaa-sec.com> <71C9EC0544D1F64D8B7D91EDCC62202005EB6544@NABSREX027324.NAB.ORG>
In-Reply-To: <71C9EC0544D1F64D8B7D91EDCC62202005EB6544@NABSREX027324.NAB.ORG>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [129.83.31.51]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [pkix] Straw-poll on OCSP responses for non-revoked certificates.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Oct 2012 14:07:28 -0000

>3) Neither. Add new optional response = unissued.

UNKNOWN would satisfy in this case, but that wasn't a poll option.  :)

I disagree in re: lying.  The OCSP responder can respond REVOKED and the CA could add it to the CRL afterward, and a relying party wouldn't be able to tell the difference.

-- T