IETF Logo Mail Archive

Re: [pkix] Proposed resolution to non-issued certificates - 2560bis

"David A. Cooper" <david.cooper@nist.gov> Fri, 02 November 2012 15:39 UTC

Return-Path: <david.cooper@nist.gov>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D81521F8BC4 for <pkix@ietfa.amsl.com>; Fri, 2 Nov 2012 08:39:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.87
X-Spam-Level:
X-Spam-Status: No, score=-5.87 tagged_above=-999 required=5 tests=[AWL=0.729, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MNunRdUU3SIa for <pkix@ietfa.amsl.com>; Fri, 2 Nov 2012 08:39:38 -0700 (PDT)
Received: from wsget2.nist.gov (wsget2.nist.gov [129.6.13.151]) by ietfa.amsl.com (Postfix) with ESMTP id 0C2FE21F8BC3 for <pkix@ietf.org>; Fri, 2 Nov 2012 08:39:37 -0700 (PDT)
Received: from WSGHUB1.xchange.nist.gov (129.6.42.34) by wsget2.nist.gov (129.6.13.151) with Microsoft SMTP Server (TLS) id 14.1.421.2; Fri, 2 Nov 2012 11:39:17 -0400
Received: from smtp.nist.gov (129.6.16.226) by smtp-g.nist.gov (129.6.42.33) with Microsoft SMTP Server id 14.1.421.2; Fri, 2 Nov 2012 11:38:56 -0400
Received: from st26.ncsl.nist.gov (st26.ncsl.nist.gov [129.6.54.72]) by smtp.nist.gov (8.13.1/8.13.1) with ESMTP id qA2FdZVJ001843; Fri, 2 Nov 2012 11:39:36 -0400
Message-ID: <5093E937.9030908@nist.gov>
Date: Fri, 02 Nov 2012 11:39:35 -0400
From: "David A. Cooper" <david.cooper@nist.gov>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:15.0) Gecko/20120829 Thunderbird/15.0
MIME-Version: 1.0
To: Stefan Santesson <stefan@aaa-sec.com>
References: <CCB9A0A3.52A49%stefan@aaa-sec.com>
In-Reply-To: <CCB9A0A3.52A49%stefan@aaa-sec.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "pkix@ietf.org" <pkix@ietf.org>
Subject: Re: [pkix] Proposed resolution to non-issued certificates - 2560bis
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Nov 2012 15:39:38 -0000

The CRL references extension is defined in Section 4.4.2 of RFC 2560 as 
an extension that may be included in the singleExtensions field of an 
OCSP response.  So, what is it about Piyush's request that is outside of 
the scope of the OCSP standard?

On 11/02/2012 11:14 AM, Stefan Santesson wrote:
> On 11/1/12 11:12 PM, "Piyush Jain" <piyush@ditenity.com> wrote:
>> BTW, I hope that there will be guidance in the updated draft on what to
>> include in CRL References extension in such cases.
>> It might suffice to say that the responder MUST not include the CRL
>> References extension if it is issuing revoked for fraudulently-issued
>> certificates.
> No, that would be outside of the scope of the OCSP standard. This standard
> describes the OCSP protocol. It can't pose requirements on use of other
> services.
>
> /Stefan

v2.23.0 | Report a Bug | By Email