Nicolas Williams <nicolas.willi...@oracle.com> writes: >Exactly. OCSP can work in that manner. CRLs cannot.
OCSP only appears to work in that manner. Since OCSP was designed to be 100% bug-compatible with CRLs, it's really an OCQP (online CRL query protocol) and not an OCSP. Specifically, if I submit a freshly-issued, valid certificate to an OCSP responder and ask "is this a valid certificate" then it can't say yes, and if I submit an Excel spreadsheet to an OCSP responder and ask "is this a valid certificate" then it can't say no. It takes quite some effort to design an online certificate status protocol that's that broken. (For people not familiar with OCSP, it can't say "yes" because a CRL can't say "yes" either, all it can say is "not on the CRL", and it can't say "no" for the same reason, all it can say is "not on the CRL". The ability to say "vslid certificate" or "not valid certificate" was explicitly excluded from OCSP because that's not how things are supposed to be done). Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com