On 4/9/13 2:35 PM, "Black, David" <[email protected]> wrote:
>Again speaking for myself, I think the current text in -16 is ok, in that >I >don't see the prohibition that Piyush is concerned about there. OTOH, >I'd also >be ok with a couple of sentences added to say that (new) clients could use >that response format to infer that the certificate is a known non-issued >certificate, but that clients cannot rely on getting that form of response >for all known non-issued certificate (i.e., may get an "unknown" >response). I'd rather not try to describe what clients should do or expect in terms of non-issued certificates. Clients are really not meant to know anything beyond "revoked" = this cert should not be trusted. This is a server choice to prevent the requested cert (if it exist at all) from being accepted. For requests for real certs, issued by a trusted CA, this case will never even occur unless the CA is compromised. And, if I put something in, given the discussion so far, the chance that there will be some major disagreements with it, is really high. The current text works. /Stefan _______________________________________________ Gen-art mailing list [email protected] https://www.ietf.org/mailman/listinfo/gen-art
