ietf-smime
[Top] [All Lists]

Re: SigningCertificate and IssuerAndSerialNumber.

1998-05-15 15:00:48
Denis,

Please bear in mind that your opinion of the state of the OCSP consensus
may not be uniformly held.  In particular, you note that

... because of the minimum assumption we are making in the PKIX WG: the
OCSP has only access to the newest CRL but no access to the individual
certificates themselves.

It is a matter of record that the minutes of the PKIX L.A. meeting note that:

". . . CRLs not be required to implement OCSP . . ."

In that case the minimum assumption we are making works fine, since the
OCSP server must anyway know the value of the public key of the CA to
verify the CRL.

However, CRLs may not exist in some OCSP deployment contexts.  This
observation leads to the need for CHOICE in certificate identification.  I
trust we can resolve this issue soon to everyone's satisfaction.

Mike