IETF Logo Mail Archive

Re: [pkix] Straw-poll on OCSP responses for non-revoked certificates.

Ryan Hurst <ryan.hurst@globalsign.com> Wed, 31 October 2012 14:42 UTC

Return-Path: <ryan.hurst@globalsign.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA47E21F880E for <pkix@ietfa.amsl.com>; Wed, 31 Oct 2012 07:42:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.202
X-Spam-Level:
X-Spam-Status: No, score=-2.202 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Z4WHAM0P1A6 for <pkix@ietfa.amsl.com>; Wed, 31 Oct 2012 07:42:27 -0700 (PDT)
Received: from mail-pa0-f44.google.com (mail-pa0-f44.google.com [209.85.220.44]) by ietfa.amsl.com (Postfix) with ESMTP id 1B2B321F87F6 for <pkix@ietf.org>; Wed, 31 Oct 2012 07:42:27 -0700 (PDT)
Received: by mail-pa0-f44.google.com with SMTP id fb11so1020904pad.31 for <pkix@ietf.org>; Wed, 31 Oct 2012 07:42:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=globalsign.com; s=google; h=references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:x-mailer:from:subject:date :to; bh=lrykpbORj45bHoFNGdlCXugL+zD/T2T1kdy5gSoYTRw=; b=Ug7MMCulfsfH+ofcZc0dDPh4iiTsQJhgvNRczVRireIXha1/dRePjhad9u8WVgZkZC CQirxyP+9Nu/a3kftjM030C5+enVrANURa3dWb8hGu7ymY60q91k0rGgWm22pDkzk2vg gUYfWjaHW5n2zKVQbG/yoH3SOpE56h0XDVaXM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:x-mailer:from:subject:date :to:x-gm-message-state; bh=lrykpbORj45bHoFNGdlCXugL+zD/T2T1kdy5gSoYTRw=; b=im0Z2hYhZ3dxqlsoSgX6Sw1zcbCr2oDIX6gMhv2z8Cli0bz/WdXjRXMJq1WDq8weQh YrKQK97GZVw6C4S+SPD2dcepoEAu7PN9I1OTPp+p7B52wB/J8T0P2fIQCEXpOKK1rqR1 vfu2zq4+U3fQdpFDfoAQO5bnMKGemoj88HMzPy7fUFnagCUUuAKdQ5N9cB/BF50PuqIL DcRNJ6hxzlrD5bJL+RqbFFtUzJoyVsqVWvHmJZYpBBFE7Apj65vqnCxfNq7A1RSV7GvG UrV2AKT/wy/5A+bv0YarntYdVb8+54AWA523kYNBrq1z7cv5x01H7ItEcy1/32m6LDL+ fmlw==
Received: by 10.66.80.66 with SMTP id p2mr102302074pax.84.1351694546855; Wed, 31 Oct 2012 07:42:26 -0700 (PDT)
Received: from [10.162.5.112] (mobile-166-147-083-089.mycingular.net. [166.147.83.89]) by mx.google.com with ESMTPS id ph7sm952787pbb.9.2012.10.31.07.42.24 (version=SSLv3 cipher=OTHER); Wed, 31 Oct 2012 07:42:25 -0700 (PDT)
References: <CCB55CA3.52588%stefan@aaa-sec.com> <50910F9E.6000703@bull.net>
Mime-Version: 1.0 (1.0)
In-Reply-To: <50910F9E.6000703@bull.net>
Content-Type: multipart/alternative; boundary="Apple-Mail-ECB7D4B5-8ABE-4533-9202-F2DDE393B0E9"
Content-Transfer-Encoding: 7bit
Message-Id: <4C120EAB-B95B-4DEE-8DE7-9CDC45089C34@globalsign.com>
X-Mailer: iPhone Mail (10A403)
From: Ryan Hurst <ryan.hurst@globalsign.com>
Date: Wed, 31 Oct 2012 07:42:22 -0700
To: Denis Pinkas <denis.pinkas@bull.net>
X-Gm-Message-State: ALoCoQk1DsH+nEvdFoHFEfH+MboQ9mEXpafIEWk/V2aVw/vbLlpl0j/j0qjgwO0SXUOvNGryZ+U9
Cc: "pkix@ietf.org" <pkix@ietf.org>
Subject: Re: [pkix] Straw-poll on OCSP responses for non-revoked certificates.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2012 14:42:28 -0000

Same as Dennis.

Sent from my iPhone

On Oct 31, 2012, at 4:46 AM, Denis Pinkas <denis.pinkas@bull.net> wrote:

> Response #3 : status : unknown
>  
> Response #1 would also be acceptable, but as a second choice.
>  
> Quick explanation: “unknown” is the right status. 
> 
> If the OCSP client verifies that the response is from an authorized responder for the CA which has issued the certificate: 
> unknown is a definite response and is safe (no other mechanism SHALL be used).
>  
> On the contrary, if the OCSP client does not verify that the response is from an authorized responder for the CA which has 
> issued the certificate, then another mechanism will be used : either another OCSP server or CRLs. 
> 
> If CRLs are used, “revoked” is safer, but it is semantically incorrect. So a change in its semantics would be mandatory.
> The problem is that the change should be "revoked or unknown" which may be rather confusing.
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix

v2.23.0 | Report a Bug | By Email