> I went back and looked at the WG poll about this issue that you and lot of > other people participated in (https://www.ietf.org/mail- > archive/web/pkix/current/msg31906.html). The WG's rough consensus was > to allow "revoked" to be used for non-issued certificates with the caveat > thrown in by Paul Hoffman that the meaning of "revoked" be clear about > what it now means. I've not seen anything that would make me want to > throw this draft back to the WG to revisit that consensus. >
I believe that the straw poll consensus was that revoked will be overloaded to convey non-issued status to the clients. The deviation from that consensus is that in such cases, the current draft prohibits clients to interpret the certificate as non-issued, and requires them to interpret it as issued and revoked by the CA. And this is necessary to circumvent the responder trust issue for CA delegated responders if they return extended revoked indicating non-issuance. Please see http://www.ietf.org/mail-archive/web/pkix/current/msg32336.html. This is an important distinction because from client's point of view non-issued response for a CA signed certificate is much more severe than a revoked response and is indicative of a CA/RA compromise. The reason I'm raising this at LC is because there were a few WG members who acknowledged this issue and there was no consensus (other than Stefan's response in the post linked above) on how this should be handled. I guess it would be okay if you and David make the determination that this issue is not worth debating anymore but I would surely have appreciated hearing the opinions of a few others. Best Piyush _______________________________________________ Gen-art mailing list [email protected] https://www.ietf.org/mailman/listinfo/gen-art
