[caops-wg] OCSP section 6.3
Olle Mulmo
mulmo at pdc.kth.se
Fri Jun 3 01:38:13 CDT 2005
On Jun 2, 2005, at 18:04, Oscar Manso wrote:
> In fact, the cautionary period can be inferred
> from the OCSP Response - and the CRL - by applying the formula
>
> CautionaryPeriod = NextUpdate - ThisUpdate
>
> The CautionaryPeriod indicates the interval of time during which a
> change on
> the status on a cert may not be reflected on the OCSP response being
> provided.
I think we are confusing two things here: latency and frequency.
t0: CA operator presses the "revoke" button
t1: CRL gets timestamped
t2: CRL gets published
t3: CRL is fetched /pushed over to OCSP responder
t4: OCSP responder has updated its revocation database
What you call CautionaryPeriod above defines an upper bound of the time
between t1 of CRL#n to t2 of CRL#(n+1) -- that is, the frequency or
interval with which updates will be available. While this is important,
I would argue that a Cautionary Period as described in the RFC is the
_latency_, i.e. the time between t0 and t4 for a particular revocation
to get into effect.
The document should be improved to cover both of these features and
point out the issues associated with them. Does anyone have any better
words than "publishing interval" (frequency?) and "cautionary period"
(latency?) for these things?
/Olle
More information about the caops-wg
mailing list