On 18/10/16 19:15, Ryan Sleevi wrote:
> On Tuesday, October 18, 2016 at 10:52:19 AM UTC-7, Rob Stradling wrote:
>> AIUI, it's permissible to "un-revoke" any certificate via OCSP, but it's
>> only permissible to "un-revoke" a certificate via CRL if it was revoked
>> with the reason code certificateHold.
> Which "permissible" are we talking about? BRs or 5280?

I was talking just about 5280 there.  i.e. I believe my statement was
correct insofar as it went.

> While 5280 allows certificateHold, the BRs do not - see 4.9.13:
> The Repository MUST NOT include entries that indicate that a Certificate is 
> suspended

Thanks for finding that, Ryan.  (I was pretty sure the BRs prohibited
certificateHold, but...insufficient PDF searching fu ;-) ).


Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
dev-security-policy mailing list

Reply via email to