Stefan Santesson wrote:
On 3/26/13 12:13 PM, "Martin Rex" <mrex(_at_)sap(_dot_)com> wrote:
Adding 3 more OCSPResponseStatus error codes { no_authoritative_data(7),
single_requests_only(8), unsupported_extension(8) } with well-defined and
conflict-free semantics to the existing enum would be perfectly backwards
compatible.
Of course it is backwards compatible with the standard, but not with the
installed base.
What would happen to the installed base of clients if OCSP responders
would change from current "unauthorized" to one of your new error codes?
As it was already mentinoned here:
http://www.ietf.org/mail-archive/web/pkix/current/msg04489.html
I would no longer get a popup from my OCSP client that tells my
that I'm unauthorized to submit OCSPRequests to that server, and that
the server has been moved to a blacklist, and that I will have to
manually enable this server after obtaining proper authorization
before my client will send any further requests that OCSP server.
No longer being interactively bothered about this error seems like a
very valuable improvement!
-Martin