Re: [pkix] Should a CRL be required for an OCSP service provider to assert status.

Stephen Kent <kent@bbn.com> Thu, 09 June 2016 15:33 UTC

Return-Path: <kent@bbn.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EECC212B061 for <pkix@ietfa.amsl.com>; Thu, 9 Jun 2016 08:33:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.627
X-Spam-Level:
X-Spam-Status: No, score=-4.627 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FSL_HELO_HOME=1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hMyU8tilEwqU for <pkix@ietfa.amsl.com>; Thu, 9 Jun 2016 08:33:49 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2675112B03A for <pkix@ietf.org>; Thu, 9 Jun 2016 08:33:49 -0700 (PDT)
Received: from ssh.bbn.com ([192.1.122.15]:44765 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1bB1xs-0009xp-CI for pkix@ietf.org; Thu, 09 Jun 2016 11:33:48 -0400
To: pkix@ietf.org
References: <CAJKvcBQq_uK3H_R4Twa9T7xPO-=ySTT1aS049b9QFYGhjsP+xg@mail.gmail.com> <201606091329.u59DTR95025744@mail.nbusr.sk>
From: Stephen Kent <kent@bbn.com>
Message-ID: <57598C5B.1010808@bbn.com>
Date: Thu, 9 Jun 2016 11:33:47 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <201606091329.u59DTR95025744@mail.nbusr.sk>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/d0UDX3KXsvwAnu8l1t06tNpQj3E>
Subject: Re: [pkix] Should a CRL be required for an OCSP service provider to assert status.
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jun 2016 15:33:50 -0000

Peter,

I think it's appropriate to cite X.509 text in response to Daniel's 
questions.
However, EU legislation is not the same as ITU or IETF standards, and 
one should
note that distinction, where appropriate. For example, I recall that 
PKIX did not
endorse the notion of OCSP providing an indication of a cert as valid, 
vs. not revoked,
when folks have posed that question in the past.

Steve