RE: Online Certificate Revocation Protocol

[Frank Balluffi <frankb@valicert.com>]

Yes. It sounds like a job for section 3.3.15 of
http://www.ietf.org/internet-drafts/draft-ietf-pkix-rfc2510bis-04.txt.

Frank

> -----Original Message-----
> From: Carlin Covey [mailto:ccovey@cylink.com]
> Sent: Thursday, June 07, 2001 9:18 PM
> To: hansenw@ece.ubc.ca; madwolf@openca.org
> Cc: ietf-pkix@imc.org
> Subject: RE: Online Certificate Revocation Protocol
> 
> 
> Massimiliano,
> 
> If you are interested in a protocol that indicates whether a
> certificate has been revoked, then the OCSP document that Hansen
> referred you to is appropriate.  You can get it at
> http://www.ietf.org/rfc/rfc2560.txt)
> 
> Version 2 of the OCSP protocol is described in an Internet Draft
> available at
> http://www.ietf.org/internet-drafts/draft-ietf-pkix-ocspv2-02.txt
> 
> Simple Certificate Validation Protocol is another candidate.  You
> can get the latest version of this at
> http://www.ietf.org/internet-drafts/draft-ietf-pkix-scvp-05.txt
> 
> But none of these allow a certificate to be revoked. I gather that
> you are interested in a protocol for requesting revocation of 
> certificates.
> Check out CMP, available at
> http://www.ietf.org/internet-drafts/draft-ietf-pkix-rfc2510bis-04.txt
> 
> Regards,
> 
> Carlin
> 
> ____________________________
> 
> -  Carlin Covey
>    Cylink Corporation
> 
> 
> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org 
> [mailto:owner-ietf-pkix@mail.imc.org]On
> Behalf Of Hansen Wang
> Sent: Thursday, June 07, 2001 5:36 PM
> To: madwolf@openca.org
> Cc: ietf-pkix@imc.org
> Subject: Re: Online Certificate Revocation Protocol
> 
> 
> Massimiliano Pala wrote:
> >
> > Hi all,
> >
> > I am in search of some help and suggestions about 
> certificate revocation.
> The
> > problem is that, as far as I know, no rfc covers a possible online
> revocation
> > protocol to be used to revoke a certificate.
> 
> Isn't that what OCSP supposed to do? RFC 2560
> 
> 2560 X.509 Internet Public Key Infrastructure Online Certificate
> Status Protocol - OCSP. M. Myers, R. Ankney, A. Malpani, S. Galperin,
> C. Adams. June 1999.
> 
> Also Certificate Revocation Status is also a per request - 
> per response
> system.
> 
> 
> >
> > The model I am thinking of is request-response oriented 
> and, depending on
> > the policy adopted by the corresponding CA, permits a 
> user/router/etc...
> to
> > ask for revocation of a certificate. This can help 
> environments where
> > certificates from different vendors are used and we want to 
> be able to ask
> > for revocation without having to follow different 
> procedures for different
> > CSP -- additional steps could/shall, depending on the 
> policy adopted,
> > be taken to accomplish the revocation process.
> >
> > Has my problem a solution yet ??? Or can I work on a proposal to be
> > submitted for comments and reviews ???
> 
> -
> Hansen Wang
> <http://members.home.net/hansen.wang/
>