Stefan Santesson wrote: > I take it that the answer to my question is none. Why would an rfc5019 client have a problem with a (7) instead of (6) OCSPResponseStatus? And what about an error code for "only a single request" that rfc5019 fails to specify. > > Which is what I suspected. The semantics of "unauthorized" does not give > you the basis for such functionality. > And 5019 is very widely deployed. The way I read this message from the security AD back then: http://www.ietf.org/mail-archive/web/pkix/current/msg03515.html rfc5019 was only passed on the promise from PKIX that it would clean up rfc2560bis -- the I-D under last call here. So the IESG should return this I-D to PKIX and have them provide the updates that they agreed to do. -Martin