Thanks Peter, It seems to me that you either trust the CA and/or OCSP server to put the correct time values in the OCSP responses or you don't. Assuming you do, then the client should not need to interperate the meaning of the time fields per CA.
Alex > -----Original Message----- > From: pgut001 [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 15, 2005 12:28 AM > To: Deacon, Alex; [email protected]; > [EMAIL PROTECTED] > Subject: RE: More Phishing scams, still no SSL being used... > > "Deacon, Alex" <[EMAIL PROTECTED]> writes: > > >Do you have any suggestions as to how the setting of these > OCSP time values > >should be done? I guess its not clear to me why you feel > the CA's need to > >agree on this. > > I don't, it was a tongue-in-cheek response to Gerv's comment > that all we need > to do is get everyone to agree on a common way to do things. > Sure, all we > need to do is get all CAs and PKI vendors to agree :-). > > >Why wouldn't the client simply make its decision based on > its local time > >(which I agree may be far from correct) and the values in > the response? > >Clients make these decisions every day with certs, so why would OCSP > >responses be any different? Is it the "producedAt" time > that confuses the > >issue? > > Hmm, I'd have to back and look at the discussion about this > from some years > ago to find all the interpretations on what the times mean. > One that I > remember (although not which field it was, producedAt or nextUpdate or > something) was that some were setting it to the time for the > cert revocation > given in the CRL, some for the CRL creation time, and some > for the current > time, and there were arguments for each one being valid. So > it's the old > "policy" refrain again, you need to know the CA's policy to > interpret the > meaning of the time fields. > > Peter. > > _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
