On 17/10/16 15:36, Gervase Markham wrote:
> On 16/10/16 08:59, Adrian R. wrote:
>> is this revival/un-revocation of an intermediary CA allowed by the
> I agree that the wording is a little loose but I think the intended
> purpose of the clause in question was as Peter interprets it - don't
> remove things from OCSP or CRLs before their expiry date because relying
> parties may want to continue to check their revocation status at any
> time up to then.
> I don't think it was intended to forbid the "un-revoking" of a
> certificate. Whether or not that will even work properly in a given
> situation is another question, but I think that's outside the scope of
> the BRs.
AIUI, it's permissible to "un-revoke" any certificate via OCSP, but it's
only permissible to "un-revoke" a certificate via CRL if it was revoked
with the reason code certificateHold.
Senior Research & Development Scientist
COMODO - Creating Trust Online
dev-security-policy mailing list