On 4/12/13 1:31 AM, "Henry B. Hotz" <hotz(_at_)jpl(_dot_)nasa(_dot_)gov> wrote:
What I would find helpful, and what I think some people really would
like, is for OCSP to be able to provide white-list information in
addition to the previous black-list information. When I read through
2560bis, I could not tell if there was an extension which would allow an
RP to tell if "good" actually meant a cert was on the white list (and to
know the responder has the white list), or merely not on the black list.
(Yes, I'm repeating myself. Am I making more sense, or just wasting
everyone's time?)
What we have done is to roll out the red carpet and made it possible for
you to do that.
- The only thing you need to do now is to define a "white-list" extension.
To put it simply. Given how OCSP is designed, the only way to allow "good"
to represent a white-list, is if "revoked" can be returned for everything
else.
Everything else in this context means every other revoked or non-issued
certificate serial number under that CA.
With RFC 2560 that is not possible in a clean way.
With this new extension in RFC 2560bis, it is now possible.