On Jul 28, 2010, at 9:51 AM, Peter Gutmann wrote:

> Nicolas Williams <nicolas.willi...@oracle.com> writes:
>> Exactly.  OCSP can work in that manner.  CRLs cannot.
> OCSP only appears to work in that manner.  Since OCSP was designed to be 100% 
> bug-compatible with CRLs, it's really an OCQP (online CRL query protocol) and 
> not an OCSP.  

This isn't true for all OCSP services.  For example, DigiCert's is not CRL 
based, so it really can say "Yes" and it really can say "Unknown" meaningfully.

> (For people not familiar with OCSP, it can't say "yes" because a CRL can't 
> say 
> "yes" either, all it can say is "not on the CRL", and it can't say "no" for 
> the same reason, all it can say is "not on the CRL".  The ability to say 
> "vslid certificate" or "not valid certificate" was explicitly excluded from 
> OCSP because that's not how things are supposed to be done).

True for off-the-shelf OCSP responders that base themselves on CRL.

Paul Tiemann

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to