On Jul 28, 2010, at 9:51 AM, Peter Gutmann wrote: > Nicolas Williams <nicolas.willi...@oracle.com> writes: > >> Exactly. OCSP can work in that manner. CRLs cannot. > > OCSP only appears to work in that manner. Since OCSP was designed to be 100% > bug-compatible with CRLs, it's really an OCQP (online CRL query protocol) and > not an OCSP.
This isn't true for all OCSP services. For example, DigiCert's is not CRL based, so it really can say "Yes" and it really can say "Unknown" meaningfully. > (For people not familiar with OCSP, it can't say "yes" because a CRL can't > say > "yes" either, all it can say is "not on the CRL", and it can't say "no" for > the same reason, all it can say is "not on the CRL". The ability to say > "vslid certificate" or "not valid certificate" was explicitly excluded from > OCSP because that's not how things are supposed to be done). True for off-the-shelf OCSP responders that base themselves on CRL. Paul Tiemann (DigiCert) --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com