"Deacon, Alex" <[EMAIL PROTECTED]> writes: >Do you have any suggestions as to how the setting of these OCSP time values >should be done? I guess its not clear to me why you feel the CA's need to >agree on this.
I don't, it was a tongue-in-cheek response to Gerv's comment that all we need to do is get everyone to agree on a common way to do things. Sure, all we need to do is get all CAs and PKI vendors to agree :-). >Why wouldn't the client simply make its decision based on its local time >(which I agree may be far from correct) and the values in the response? >Clients make these decisions every day with certs, so why would OCSP >responses be any different? Is it the "producedAt" time that confuses the >issue? Hmm, I'd have to back and look at the discussion about this from some years ago to find all the interpretations on what the times mean. One that I remember (although not which field it was, producedAt or nextUpdate or something) was that some were setting it to the time for the cert revocation given in the CRL, some for the CRL creation time, and some for the current time, and there were arguments for each one being valid. So it's the old "policy" refrain again, you need to know the CA's policy to interpret the meaning of the time fields. Peter. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
