Re: [pkix] Should a CRL be required for an OCSP service provider to assert status.
Erwann Abalea <eabalea@gmail.com> Tue, 14 June 2016 16:03 UTC
Return-Path: <eabalea@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28BF812D180 for <pkix@ietfa.amsl.com>; Tue, 14 Jun 2016 09:03:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8O_-sOvVc-Iw for <pkix@ietfa.amsl.com>; Tue, 14 Jun 2016 09:03:09 -0700 (PDT)
Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B5AD12D0F6 for <pkix@ietf.org>; Tue, 14 Jun 2016 09:03:09 -0700 (PDT)
Received: by mail-lf0-x229.google.com with SMTP id q132so69668594lfe.3 for <pkix@ietf.org>; Tue, 14 Jun 2016 09:03:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=SQKKotcr2vgv+KJDCeQeYYiy3fCVFEkIIMLDvXSKG4Q=; b=n2/TKnAtv4ZOSEC5A/PLuekIaQJcLJIAL4Tndd/+UNItwcf+KSALLIFADC3rzo8mZQ SkNzOokoo0uXFem6GrmUp3tPD/c3kPgYIsbOohnGI5g3LdM0IT1wdMW+YqXMigJnyl8d WbVEP4xJUWVLDwYSnvaO3g+ZAuPnIubFl5rtuwzKy9qiVoDcFI4EbQmDyOmjjIXe1ceK 36fqG2RYn8+iwhlEnHoe7TqBsGTMMWS5uxOF8mHE+5Oq80gX0QgsDjaeVpPIJsMLjPwM ajUWpkHYb7kDC2kGg7sh9fu/ITAEdHOhTeN3Y98/P864yPIfiksRw1yvcFvPajzv+zVv Vjnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=SQKKotcr2vgv+KJDCeQeYYiy3fCVFEkIIMLDvXSKG4Q=; b=SSaD796xiZ8rY8rg+Vuh7YPkeYZPqNZ409MtneNXtEh4HNmdy/2mSDVfm/k3mmlS6i kobskX6iKaGb8lbG8jkiUQ4CtUXOiBGxxaU1WVae8XYqMqDY+SThX/mIqGbqwhf77c2t /8lm2lJVnvQPEGjBbda84LxdZuJV92cTcgnLZ5lgSzIi3cVaDt/uHNNzkplowmMjT9V7 9sZ++hp7DRm6XFr9HOSWkk4gqWp22qW1GRBJCuYeSosqOOGHenmyl3sPbZghxS2rb5br Gz1oml/J5+SJmlywH4p//Jvy5L8uh1n+Ze+HivmSg+ZMGlQW3qOdDIxqgBvvp/SYBcGe ZhUg==
X-Gm-Message-State: ALyK8tL0fGNEq8N3vayRKP9E06UtzmoObwqpMyMtlWlqEpcPLyrMFoaF/hZRC4qC9DU1o4iuQZ6j8F5OwpGlKw==
X-Received: by 10.46.5.137 with SMTP id 131mr1521607ljf.8.1465920187435; Tue, 14 Jun 2016 09:03:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.114.182.7 with HTTP; Tue, 14 Jun 2016 09:03:06 -0700 (PDT)
In-Reply-To: <8c4ef11b-f3e2-0d03-3a33-45fadc1931c1@bbn.com>
References: <20160610154052.2940E1A4E5@ld9781.wdf.sap.corp> <8c4ef11b-f3e2-0d03-3a33-45fadc1931c1@bbn.com>
From: Erwann Abalea <eabalea@gmail.com>
Date: Tue, 14 Jun 2016 18:03:06 +0200
Message-ID: <CA+i=0E6cL8EBpd6sryMFmbfXZf-shYjhVsUgDcUMDiCSrKFE_g@mail.gmail.com>
To: Stephen Kent <kent@bbn.com>
Content-Type: multipart/alternative; boundary="001a114a6a720a902005353f2486"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/H2UCa3Pwz26oX7QR-7cKVh7CsEM>
Cc: "<pkix@ietf.org>" <pkix@ietf.org>
Subject: Re: [pkix] Should a CRL be required for an OCSP service provider to assert status.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jun 2016 16:03:12 -0000
Bonjour, 2016-06-13 23:06 GMT+02:00 Stephen Kent <kent@bbn.com>: > [...] > Yes, the EU defined a *private* extension (CertHash) to support the notion > of expanding the scope of OCSP. If an OCSP server operator assumes that all > of the OCSP clients it deals with recognize this private, non-critical > extension, then it is obviously free to make use of it. > s/EU/Germany/ Thinking EU leads to eIDAS, and this CertHash isn't part of ETSI standards used for eIDAS. -- Erwann.
- Re: [pkix] Should a CRL be required for an OCSP s… Stephen Kent
- Re: [pkix] Should a CRL be required for an OCSP s… Martin Rex
- Re: [pkix] Should a CRL be required for an OCSP s… Stephen Kent
- Re: [pkix] Should a CRL be required for an OCSP s… Peter Bowen
- Re: [pkix] Should a CRL be required for an OCSP s… Erwann Abalea
- Re: [pkix] Should a CRL be required for an OCSP s… Stephen Kent
- [pkix] Should a CRL be required for an OCSP servi… daniel bryan
- Re: [pkix] Should a CRL be required for an OCSP s… Peter Rybár
- Re: [pkix] Should a CRL be required for an OCSP s… Stephen Kent
- Re: [pkix] Should a CRL be required for an OCSP s… daniel bryan
- Re: [pkix] Should a CRL be required for an OCSP s… David A. Cooper
- Re: [pkix] Should a CRL be required for an OCSP s… Martin Rex