Denis,
Please bear in mind that your opinion of the state of the OCSP consensus
may not be uniformly held. In particular, you note that
... because of the minimum assumption we are making in the PKIX WG: the
OCSP has only access to the newest CRL but no access to the individual
certificates themselves.
It is a matter of record that the minutes of the PKIX L.A. meeting note that:
". . . CRLs not be required to implement OCSP . . ."
CRLs *may* also be used to implemented OCSP. This is not in
contradiction.
In that case the minimum assumption we are making works fine, since the
OCSP server must anyway know the value of the public key of the CA to
verify the CRL.
However, CRLs may not exist in some OCSP deployment contexts. This
observation leads to the need for CHOICE in certificate identification.
Really ? A CHOICE of what ?
I trust we can resolve this issue soon to everyone's satisfaction.
I do hope so as well. :-)
Denis
Mike
--
Denis Pinkas Bull S.A.
mailto:Denis(_dot_)Pinkas(_at_)bull(_dot_)net
Rue Jean Jaures B.P. 68 Phone : 33 - 1 30 80 34 87
78340 Les Clayes sous Bois. FRANCE Fax : 33 - 1 30 80 33 21