On Thu, Jul 29, 2010 at 03:51:33AM +1200, Peter Gutmann wrote: > Nicolas Williams <nicolas.willi...@oracle.com> writes: > > >Exactly. OCSP can work in that manner. CRLs cannot. > > OCSP only appears to work in that manner. Since OCSP was designed to be 100% > bug-compatible with CRLs, it's really an OCQP (online CRL query protocol) and > not an OCSP. Specifically, if I submit a freshly-issued, valid certificate > to > an OCSP responder and ask "is this a valid certificate" then it can't say > yes, > and if I submit an Excel spreadsheet to an OCSP responder and ask "is this a > valid certificate" then it can't say no. It takes quite some effort to > design > an online certificate status protocol that's that broken. > > (For people not familiar with OCSP, it can't say "yes" because a CRL can't > say > "yes" either, all it can say is "not on the CRL", and it can't say "no" for > the same reason, all it can say is "not on the CRL". The ability to say > "vslid certificate" or "not valid certificate" was explicitly excluded from > OCSP because that's not how things are supposed to be done).
Sorry, but this is wrong. The OCSP protocol itself really is an online certificate status protocol. Responder implementations may well be based on checking CRLs, but they aren't required to be. Don't be confused by the fact that OCSP borrows some elements from CRLs. Nico -- --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
